[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

On Mon, 8 Dec 1997, Carl Ellison wrote:

-> At 06:09 AM 12/8/97 -0200, Ed Gerck wrote:
-> >-> As I say frequently, there are only certificate loops -- with authority
-> >-> passing from the verifier through certificates back to the verifier.
-> >                                                                          
-> >Does the prisoner pass authority to the prison guard, so that the prison
-> >guard is allowed to keep the prisoner handcuffed?  Certificates do not
-> >pass authority from the verifier to the issuer. They convey information
-> >with an unidirectional flow to the verifier. Yes, the verifier may gauge
-> >and select the information content but he may not choose the gauge,
-> >neither may he change the information nor may he denote it. 
-> Each verifier needs to know which so-called root keys it accepts and for 
-> what kind of authorization.  

The root-keys you mention are part of the gauge I noted above, which the
verifier uses in order to accept/reject the certificate within its

Such root-keys build a certificate chain which is not defined in its
atomic components by the verifier even though he may choose which branches
he wants to link to and at which point to should stop the chain (as I
point out above, by selecting what he desires from the available choices
provided by the issuer).

That is, the verifier (in X.509 model) must decide to stop the root-key
chain somewhere, defining that point as his trusted final root.  This
completely defines the gauge, its scope and trust level -- which was
chosen by the issuer (in all possible branching combinations) but is
selected and interpreted in its final "geometry" by the verifier. 

So, the trust relationships of the root-keys with each other are not
defined, chosen or even known by the verifier -- but the root-keys are
used as the verifier decides, based on his own trust relationships to the
root-keys, for each branch and depth level.  For example, in Apache-SSL,
the verifier may (correctly and prudently)  decide that certificate chains
may not exceed depth one and thus decide as based solely on his trust to
the first CA.

-> That closes the loop.  

A loop can only be closed between like quantities. 

Here, you are equating apples (trust relationships of the root-keys with
each other and with the issuer) with speedboats (trust relationships of
the root-keys with the verifier, by itself), so there is no "loop of

-> There is no root key
-> from God, much though NSA might like to think so :)          

The Internet has no absolute references and no absolute root-key, ever. 
For two parties to communicate securely they must know each other's keys,
as allowed by X.509 and PGP certificates -- which provide for what is
called key-transport certification. The same type of key-transport
certification happens with the proposed SPKI/SDSI certificates. Such
certificates must always depend on a chain of certificates that ends .... 
in a certificate, which is the root-key you choose to trust. 

In other words, the security design for SPKI/SDSI certificates is the same
as for X.509 and PGP and simply says that for two unknown parties in a
dialogue, they need extrinsic references (the root-keys or CAs, trust
relationships of the root-keys with each other and with the issuer, trust
relationships of the root-keys with each party by itself) in order to
securely transport data (keys, references, authorizations, etc.) to each

So, there is no "trust loop" in SPKI/SDSI either, like X.509 or PGP.


Dr.rer.nat. E. Gerck                        egerck@laser.cps.softex.br