[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: legal question about certs
"I'm not an attorney, but..."
This is precisely why, in the ABA Digital Signature Guidelines, and in the
statutes that several states have passed that follows those guidelines,
there is the requirement that the subscriber (subject) of a certificate
ACCEPT the certificate prior to it being valid. If the CA publishes a
certificate prior to the subject approving and accepting it, they are at
serious risk, and the subject can disavow any transaction that allegedly
signed with their key. You can consult the comments for further details.
That doesn't necessarily mean that the subject has to sign the certificate
to indicate acceptance, although that would seem to have some merit.
\Unfortunately, the argument is circular. If you are concerned about a
rogue CA issuing a certificate to someone who never heard of that CA, that
CA could invent whatever public/private key pair they wished, and embed that
key in the certificate they are issuing!
I realize that the argument is more convoluted than just issuing certs, but
this is certainly a danger that you have to watch out for. Although I'm not
sure that merely signing the certificate is sufficient because of the rogue
CA argument, without such a receipt there is going to have to be some much
more complex auditing and other functions provided.
Robert R. Jueneman
Internet Infrastructure Division
122 East 1700 South
Provo, UT 84604
>>> Carl Ellison <email@example.com> 06/25/97 04:20PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
we have a gentle war brewing on the SPKI list.
The question is whether the subject of a certificate should sign it.
Normally, the issuer signs the cert -- giving some permission or access
to the subject. The subject doesn't need to sign the cert to receive those
However, there is a theory that for each transfer of rights in one
there is a transfer of responsibility in the other direction. Therefore,
subject should sign the cert accepting the responsibility that goes along
Ron Rivest argues that as cryptographers, all we care about is the rights
transfer...that the responsiblity transfer is the domain of lawyers.
For example, an attack is envisioned. Bad company, Acme, finds your public
key someplace from some legitimate cert of yours and generates a new cert
you, giving you access to their file system. Someone breaks into their file
system and does damage, wiping out the audit logs of who broke in. So, Acme
asks the age-old Perry Mason question: who had keys to that door? Your
(even though you never saw it) is a key to that door. That makes you a
suspect. If for other reasons you might be even the most logical suspect,
you might make it to the top of the police list and get severely hassled.
If certs all had to be signed by their subjects as well as their issuers,
we avoid this attack.
So, since we're not lawyers -- the question we need answered is whether the
attack above is credible and whether we should bother having dual signed
to protect against it. [Ie., require all certs to be dual signed -- not for
granting access, but for taking to court. The second signature doesn't have
be on the cert itself -- it could be on a receipt for a cert -- like the
signed back when companies would issue me brass keys to the front door. The
cert verifier doesn't need to see the receipt. However, if standard
is to get signed receipts for each cert issued, then the defense attny could
demand that Acme produce the receipt you signed for your key (cert) -- and
they can't, then claim that you never received the cert so you couldn't have
been the person breaking in and doing damage.]
Is this something we should worry about, in your opinion? Do you know
we should ask about this?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
|Carl M. Ellison firstname.lastname@example.org http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |