[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private keys and the emperor's clothes -Reply



At 03:05 PM 6/21/96 -0700, Bob Jueneman wrote:
>>>> "Brian M. Thomas" <bt0008@entropy.sbc.com> 06/21/96 03:01pm >>>

>Well, now, let's think about that.  Out of the blue I get sued by someone who claims to have my
>digital signature on a document, with a certificate signed by a CA I never heard of. [...]
> "Unfortunately, we had a fire [...]
>Now, how much did you say you were willing to 
>spend in legal fees trying to prove that we are wrong? 

Yup -- another good scenario arguing against the whole idea of CAs.  Thanks.


>(Maybe there is a moral here for e-mail protocol designers. Perhaps both the name and address of the recipient, 
>together with the certificate information (issuer and serial number), should be included in the signed portion of the 
>message, so that this kind of man in the middle attack could be detected.)

Good, if you're relying on a CA's certificate -- or people could use key-centered certification and not have this problem.


>Best of all in hardware controlled by the user. I'm reasonably security conscious, but "pond scum" 
>would probably be a reasonable representation of my own home computer security environment, 
>and would almost surely be applicable to the vast majority of unsuspecting users of this brave 
>new world of technology. 

I agree.  My home computers are probably also pond scum, for security.

However, look at it from a hacker's point of view.  A potentially insecure system isn't available unless it's been infiltrated.  The percentage of infiltrated systems is very small.  So -- a potentially insecure system could be secure for the moment.

 - Carl
From ???@??? Tue Jun 25 12:20:23 1996
Return-Path: <owner-spki@c2.org>
Received: from callandor.cybercash.com (callandor1.cybercash.com) by cybercash.com (4.1/SMI-4.1)
	id AA26925; Tue, 25 Jun 96 05:19:59 EDT
Received: by callandor.cybercash.com; id FAA03157; Tue, 25 Jun 1996 05:16:21 -0400
Received: from infinity.c2.org(140.174.185.11) by callandor.cybercash.com via smap (V3.1)
	id xma003152; Tue, 25 Jun 96 05:16:03 -0400
Received: (from daemon@localhost) by infinity.c2.org (8.7.4/8.6.9)
	id BAA19970 for spki-outgoing; Tue, 25 Jun 1996 01:57:47 -0700 (PDT)
	Community ConneXion: Privacy & Community: <URL:http://www.c2.net>
Message-Id: <199606240743.AAA11498@infinity.c2.org>
X-Sender: stewarts@popd.ix.netcom.com
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 24 Jun 1996 00:41:06 -0700
To: Bob Jueneman <bjueneman@novell.com>
From: Bill Stewart <stewarts@ix.netcom.com>
Subject: Re: Private keys and the emperor's clothes -Reply
Cc: spki@c2.org
Status: RO
Sender: owner-spki@c2.org
Precedence: bulk

At 03:05 PM 6/21/96 -0700, Bob Jueneman <bjueneman@novell.com> wrote:
>Well, now, let's think about that.  Out of the blue I get 
>sued by someone who claims to have my digital signature on a document, 
>with a certificate signed by a CA I never heard of. 

It's easy to verify whether the signature is good, so I assume
the document has a valid signature from a key that isn't yours,
or that you're contending your signature has been misused.
The latter is a potential problem with CA-generated keys,
though the former is probably independent of who generated them.

>I claim, "That isn't my signature, nor my certificate, and in fact I 
>never heard of this purported CA."  The CA rejoins, "Unfortunately,
> we had a fire which destroyed the written copy of the 
>acknowledgment you signed when you accepted the certificate, 
>but we insist that you did in fact request and were issued a 
>certificate signed by us that contained that public key.

To avoid the paper problem, and reduce the problem of signatures from
CAs you don't want signing your keys (e.g. the KGB, the KKK, etc.)
it may be worth using having the key-owner sign the certificate
that the CA issues signing the key, either as a separate document
held by the CA or as a fundamental part of a certificate format.
The document could also include a digitized photograph, scan of
a hand-written signature, etc. to add artistic verisimilitude,
though of course these can be faked also...

>The fact that you have a certificate from another CA proves nothing, 
>for we don't have a rigid naming hierarchy or monopoly to impose a 
>discipline as to which CA you can request a certificate from. 

Rigid naming hierarchies don't really solve this.
A monopoly could help (note that you don't need a real monopoly -
anybody can declare themselves to be The Unique ID Company,
or some big players in the CA business could collaborate),
but unless you can prove physical uniqueness of human beings it's tough.
CA-generated keys don't help at all.

>Now, how much did you say you were willing to spend in legal fees 
>trying to prove that we are wrong? 

Against folks too sloppy to keep offsite backups, but who have deep
enough pockets to make a countersuit profitable? :-)

>(Maybe there is a moral here for e-mail protocol designers. 
>Perhaps both the name and address of the recipient, 
>together with the certificate information (issuer and serial number), 
>should be included in the signed portion of the 
>message, so that this kind of man in the middle attack could be detected.)

This has been discussed elsewhere, with the conclusion that it's usually
best to include the recipient's name, address, or key in the signed portion,
unless there's a good reason for them to remain anonymous.
E.g. Bob sends Alice a signed message saying
        To: Alice
        From: Bob
        -----BEGIN PGP SIGNED MESSAGE-----
        Goodbye - I'm seeing someone else.  Bob
        -----END PGP SIGNED MESSAGE----Bob's signature
which Alice readdresses to Carol, forging a From: Bob on it.

>>I feel that for those reasons it is still highly preferable to have keys
>generated by the owner, and of course, best of all in hardware, and you
>are the first I've seen to mention the problem of controlling what got
>presented to a hardware crypto engine to be signed.


#				Thanks;  Bill
# Bill Stewart +1-415-442-2215 stewarts@ix.netcom.com
# http://www.idiom.com/~wcs
#				Distract Authority!