[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGPticket

To: Bill Stewart <bill.stewart@pobox.com>
Subject: Re: PGPticket
From: Tony Mione <mione@boeing.rutgers.edu>
Date: Tue, 9 Jun 1998 08:50:54 -0400 (EDT)
cc: Tony Bartoletti <azb@llnl.gov>, Vinnie Moscaritolo <vinnie@apple.com>, openpgp <ietf-open-pgp@imc.org>, pgpticket <ietf-pgpticket@vmeng.com>, Bill Frantz <frantz@netcom.com>, "spki@c2.net" <spki@c2.net>, "cme@cybercash.com" <cme@cybercash.com>
In-Reply-To: <3.0.5.32.19980607164135.008c1b00@popd.ix.netcom.com>
Sender: owner-ietf-open-pgp@imc.org

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 7 Jun 1998, Bill Stewart wrote:

> At 03:52 PM 5/27/98 -0700, Tony Bartoletti wrote:
> >  >A client should never sign a challenge on it's own. the challenge should 
> >  >have a client random nonce  appended to it, then sign that. the nonce
> >  >can in fact be used as a counter challenge for the server to sign (whereby
> >  >it also attaches a random nonce)
> >
> >Vinnie,  You are absolutely right.  I was led astray by the wording of 6:
> >  "The client signs and returns the challenge string with a
> >  random nonce appended."

> Is appending the nonce good enough, or should you really prepend as well?
> The problem is that lots of applications can potentially be tricked by
> 	sign( "syntactically-correct-stuff,junk" )
> while they're less likely to accept messages with the junk first.
> 				Thanks! 

	I am working on this draft with Vinnie and have an idea on how to
solve this. I talked with him briefly about it. Basically, the response
should be another V4 standalone signature. The challenge is placed in a
notation subpacket that is the only 'hashed' subpacket. The signature on
the V4 sig packet is the hash of the notation subpacket containing the
challenge (kinda like a 'meta' signature).

	In the case of a client being one of several subjects in the
original PGPticket, their subject information should go in a separate
notation subpacket in the unhashed subpacket section. This will tell the
server which client is actually trying to use the ticket and keep them from
having to check the signature with each subject's key.

> 					Bill
> Bill Stewart, bill.stewart@pobox.com
> PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

Tony Mione, RUCS/NS, Rutgers University, Hill 055, Piscataway,NJ - 732-445-0650
mione@nbcs-ns.rutgers.edu                 W3: http://www-ns.rutgers.edu/~mione/
PGPFP:E2252CCD28733C5B  0B918A4E22BAFA9F       ***** Important: John 17:3 *****
Author of 'CDE and Motif : A Practical Primer', Prentice-Hall PTR

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNX0vq/MKRuSgNA5pAQHDRAL/cee0WD2kJCKxq2q4lxenWVA70wEDuz2e
aeQ3yVaRdONJkDgcYjaEcBukI25dKzqJdNoH3QYvLM9r6M0JpAO7ACCC1PZvOJEW
w99wULcfsAi+ly0eX0FhEMvJz+d5j/S7
=O0Gh
-----END PGP SIGNATURE-----

References:

Re: PGPticket

From: Bill Stewart <bill.stewart@pobox.com>

Prev by Date: Re: PGPticket
Next by Date: DNS and X.501 DistinguishedName
Prev by thread: Re: PGPticket
Next by thread: Re: PGPticket
Index(es):
- Main
- Thread