[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Subject signing redux (was: Re: Mary is Mary)

To: spki@c2.net
Subject: Re: Subject signing redux (was: Re: Mary is Mary)
From: dpkemp@missi.ncsc.mil (David P. Kemp)
Date: Fri, 27 Jun 1997 10:24:01 -0400
Sender: owner-spki@c2.net

> From: "E. Gerck" <egerck@laser.cps.softex.br>
>
> -> If he trusts Jon, and Jon lied,
> -> then Ed has the basis for a lawsuit against Jon, not against Mary.
> 
> This point is clear, but it is not the issue. The attack is also
> different.
> 
> 1. Engineer, don't suppose:
> As once said, law is no substitute for engineering.
> 
> 2. The attack: 
> 
> The attack is "framing Mary".
>   [...]
> 
> So, Mary had her name used (possible constitutional rights?) without her
> authorization, to commit her to an obligation -- and she can't prove
> otherwise.


In the entire following discussion, I have not seen any technical arguments
to support the notion that there is an engineering solution to the framing
attack.  In particular, there has been no response to the points raised
by Jim McCoy and Steve Bellovin:

> From: Steven Bellovin <smb@research.att.com>
>
> After all, I could claim that that wasn't my certificate, but one they
> concocted out of whole cloth.


Please explain, in the simplest possible terms, how subject-signed
certificates prevent the "framing Mary" attack.

Assume:

  1) Jon wants to frame Mary. He issues a cert to his accomplice Mallet:

     Mallet's sig [
       Jon's sig { Subject=Mary, PubKey=1234, Auth="I am a lawyer" }
     ]


  2) Mallet uses the cert to conduct a legal transaction in Mary's name.

  3) Steve McGarret confronts Mary: "You've been practicing law without
     a license"

  4) Mary says: "But I don't have the private key to that cert.  Honest.
     I *swear*."

  5) McGarret:  "Book her, Danno."

Explain:

  How subject-signing allows Mary to *prove* that her name was used
  without her authorization.



If you want to know who is a lawyer in the U.S., you might wish to trust
only the ABA.  If you want to know who is licensed in a particular state,
you trust the state Bar.  If you want to know who is the company's lawyer,
you should trust an officer of the company, who's public key you presumably
obtained by some means that satisfies your assurance requirements.

If the ABA, or the state Bar, or IBM's CEO decide to violate your trust,
there is no engineering solution to prevent it.  In technical terms,
subject-signed certs "don't do squat" to address this framing attack.


Subject signing may have other benefits, particularly when used in
conjunction with non-SPKI identity certs.  It's more difficult to frame
Mary when she has a high-assurance global identity cert:

 C=US, O=IBM, CN=Mary Smith, Employee_number=932
 Public Key = 5678

coupled with a role cert (X.509 or SDSI or SPKI):

  Mary's sig [
    Jon's sig { Key = 5678, Auth = "I am a lawyer" }
  ]


You are still relying on the integrity of the identity-cert issuer, but
the role certs, which may be issued much more frequently, can leverage
off that trust with subject sigs.  If the identity cert issuer goes bad,
you're still hosed, and subject signing won't help.

Follow-Ups:

Re: Subject signing redux (was: Re: Mary is Mary)

From: Carl Ellison <cme@cybercash.com>

Prev by Date: Re: Pairwise merging of certificates
Next by Date: Re: SPKI signing keys only (errata)
Prev by thread: Re: Subject signing redux (was: Re: Mary is Mary)
Next by thread: Re: Subject signing redux (was: Re: Mary is Mary)
Index(es):
- Main
- Thread