[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPKI signing keys only

To: spki@c2.net
Subject: Re: SPKI signing keys only
From: "William Allen Simpson" <wsimpson@greendragon.com>
Date: Mon, 23 Jun 97 16:49:14 GMT
Sender: owner-spki@c2.net

> From: dpkemp@missi.ncsc.mil (David P. Kemp)
> > From: Carl Ellison <cme@cybercash.com>
> > At 04:21 PM 6/15/97 +1000, Bob Smart wrote:
> > >Either way it seems that public key infrastructure should only
> > >cover signing keys. Mixing in other sorts of keys into that infrastructure
> > >is unnecessary and confusing. Or maybe I'm missing something?
> >
> > I concur completely as do the other authors of the SPKI draft, I believe.
> ...
> > From: "William Allen Simpson" <wsimpson@greendragon.com>
> > Thank you.  Now we need to make this more clear in the SPKI draft.
> >
> > I don't really like the term "signing keys", though.  Signing is an
> > activity.
> >
> > I usually explain it as:
> >
> >     Identification key: a long-term key that is associated with a
> >     particular role, person, machine, or process (usually a
> >     public/private key pair).
> >
> >     Communication key: a short-term key used for a message (usually an
> >     "ephemeral" symmetric secret key).
>
> I think Bob Smart's comment referred only to public/private key pairs,
> not symmetric keys.  Among public keys, there are those intended to
> authenticate an individual (realtime "entity authentication") or message
> (offline "data origin authentication")

First, in this context, I strongly prefer the term "Identification key"
to "entity/data origin authentication".  The former is a noun (a thing),
the latter verb(s).

> and those intended to be used to
> establish symmetric session keys ("key transport" or "key agreement").
> Bob, I believe, wished to have SPKI explicitly acknowledge the use
> of key pairs for "signing" (DOA and EA) but not for session key
> establishment.
>
Bob and Karl and I (and many others) all apparently agree that SPKI
should _never_ provide keys for communication session key establishment.

Indeed, Photuris and (I believe) Oakley are _very_ careful to never sign
the communication key itself.  The communication key is derived
exclusively from ephemeral material.

As I noted in the remainder of my message and I recapitulate for
emphasis here, it is much easier to explain to others the mechanism for
identification versus communication keys when they are 2 very different
constructs (asymmetric versus symmetric) with orthogonal usage.

And now I will add, because of the organization to which you belong,
there are strong technical and political reasons for keeping the
separation.  When explaining to US Senators and staff (as I have from
time to time), why certain bills are written by imbiciles, it is very
helpful to be able to distinguish between Identification keys and
Communication keys.

No legally competent Senator will vote for a bill that has no effect
other than to allow the FBI to impersonate a defendent.  Unfortunately,
there are plenty of Senators that are not legally competent, and the
public will probably spend millions of dollars in the courts throwing
out such laws on various grounds.

So, let me say again, SPKI should _never_ provide key establishment, and
this should be clearly stated.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: multiple certification rules
Next by Date: Subject signing redux (was: Re: Mary is Mary)
Prev by thread: Re: SPKI signing keys only
Next by thread: Re: SPKI signing keys only
Index(es):
- Main
- Thread