[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-CARM] PKI, CAs, TTPs &c.


At 07:56 AM 3/27/98 +1000, LITTLER, Ian wrote:
>Lets think about why compromise of a root key is bad. It allows you to
>create entities which are not bonifide and commit all sorts of fraud
>(and if you know its compromised then all issued certificates are
>invalid). If instead you keeep a list of public keys in a secure
>environment then there are also risks, while it could be argued that
>they are less. If someone was able to steal the secret key in the first
>scenario then it must also be possible for them to break in and insert
>new public keys in the list and commit fraud that way. What you have
>lost is the flexibility which a certificate offers. i.e. use in a
>distributed manner.

Of course.  However, you can't get away from the ACL entry at the left end 
of the verification chain.  Some trusted memory in the verifier has to 
empower the left-most (some call it "root") key in the certificate chain, 
when you use certificates.

All we do with direct ACL entries for end users is avoid certificates where 
we don't need that flexibility.  For example, the keys for getting access 
through a small company firewall might be few enough in number to make 
certificate issuance all pain and no benefit.  By contrast, the keys to get 
through a firewall allowing people to go from Internet to Milnet would be so 
many in number, with so many different responsible agencies, that you'd 
definitely want those authorizations delegated via certificate.

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |