[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private keys and the emperor's clothes -Reply

At 03:05 PM 6/21/96 -0700, Bob Jueneman <bjueneman@novell.com> wrote:
>Well, now, let's think about that.  Out of the blue I get 
>sued by someone who claims to have my digital signature on a document, 
>with a certificate signed by a CA I never heard of. 

It's easy to verify whether the signature is good, so I assume
the document has a valid signature from a key that isn't yours,
or that you're contending your signature has been misused.
The latter is a potential problem with CA-generated keys,
though the former is probably independent of who generated them.

>I claim, "That isn't my signature, nor my certificate, and in fact I 
>never heard of this purported CA."  The CA rejoins, "Unfortunately,
> we had a fire which destroyed the written copy of the 
>acknowledgment you signed when you accepted the certificate, 
>but we insist that you did in fact request and were issued a 
>certificate signed by us that contained that public key.

To avoid the paper problem, and reduce the problem of signatures from
CAs you don't want signing your keys (e.g. the KGB, the KKK, etc.)
it may be worth using having the key-owner sign the certificate
that the CA issues signing the key, either as a separate document
held by the CA or as a fundamental part of a certificate format.
The document could also include a digitized photograph, scan of
a hand-written signature, etc. to add artistic verisimilitude,
though of course these can be faked also...

>The fact that you have a certificate from another CA proves nothing, 
>for we don't have a rigid naming hierarchy or monopoly to impose a 
>discipline as to which CA you can request a certificate from. 

Rigid naming hierarchies don't really solve this.
A monopoly could help (note that you don't need a real monopoly -
anybody can declare themselves to be The Unique ID Company,
or some big players in the CA business could collaborate),
but unless you can prove physical uniqueness of human beings it's tough.
CA-generated keys don't help at all.

>Now, how much did you say you were willing to spend in legal fees 
>trying to prove that we are wrong? 

Against folks too sloppy to keep offsite backups, but who have deep
enough pockets to make a countersuit profitable? :-)

>(Maybe there is a moral here for e-mail protocol designers. 
>Perhaps both the name and address of the recipient, 
>together with the certificate information (issuer and serial number), 
>should be included in the signed portion of the 
>message, so that this kind of man in the middle attack could be detected.)

This has been discussed elsewhere, with the conclusion that it's usually
best to include the recipient's name, address, or key in the signed portion,
unless there's a good reason for them to remain anonymous.
E.g. Bob sends Alice a signed message saying
        To: Alice
        From: Bob
        -----BEGIN PGP SIGNED MESSAGE-----
        Goodbye - I'm seeing someone else.  Bob
        -----END PGP SIGNED MESSAGE----Bob's signature
which Alice readdresses to Carol, forging a From: Bob on it.

>>I feel that for those reasons it is still highly preferable to have keys
>generated by the owner, and of course, best of all in hardware, and you
>are the first I've seen to mention the problem of controlling what got
>presented to a hardware crypto engine to be signed.

#				Thanks;  Bill
# Bill Stewart +1-415-442-2215 stewarts@ix.netcom.com
# http://www.idiom.com/~wcs
#				Distract Authority!