[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Revocation, etc...]

To: amg@lcc.uma.es
Subject: Re: [Fwd: Revocation, etc...]
From: Carl Ellison <cme@acm.org>
Date: Mon, 07 Sep 1998 03:40:08 -0700
Cc: spki@c2.net
In-Reply-To: <35766C1B.AF4AA83D@lcc.uma.es>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 11:42 AM 6/4/98 +0200, Antonio Mana Gomez wrote:
>	It introduces a security risk because once a certificate is issued
>	there is an interval of time that will allow a malicious user to
>	act freely whithout worriying about being discovered. In a digital
>	environment where the time scale is very small several minutes are
>	enough time to do a lot of transactions and therefore the mentioned
>	risk is not small.

Antonio,

	sorry for replying so late.  Your message fell in the cracks.

	I understand the fear of an irrevocable validity period.  However, the net 
doesn't provide instant broadcast.  Such isn't possible.	Therefore, there 
will be a period of time during which an announcement of revocation might be 
in transit but not received.  That length of time is one in which the 
verifier will be relying on data which the issuer (or someone) knows is false.
With the possibiliy of momentary disconnection from the net, this time period
might be much longer than the speed of light would imply.

	This is not a new concern.  The developers of ATMs addressed this by 
establishing a different security policy in case of disconnection from the 
net (e.g., $100 maximum per card).

	The issuer needs to ask himself, "During what interval of time am I 
willing to let the verifier believe this certificate after I know it to be
false?"  The answer to that question should give the validity period of 
either the cert or an on-line revalidation.  If the answer is exactly 0, 
then the issuer must demand one-time revalidations.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNfO4BxN3Wx8QwqUtAQE5OgP/ZsjpGexbmXBEnH0XJgM5BeOBB34d+yip
TGen5Fn3BpWa2VE3E2PiOohfuDU8J+B91T7wYH5qV2zTMPp4iNvcD/23j/53fNo0
eJtDeH0f0h0Z5GCEzm7xRMs/4KaKSogzk9UntmLAPSHFceii1jmPcNm059Ak5KsK
J+n2IEuEUa0=
=j+Nc
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison         cme@acm.org     http://www.pobox.com/~cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+--Officer, officer, arrest that man. He's whistling a dirty song.-+

Follow-Ups:

Re: [Fwd: Revocation, etc...]

From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: ACM Comp. and Comm. Security: Reg-n Form and Call for Participation
Next by Date: SPKI list archives
Prev by thread: ACM Comp. and Comm. Security: Reg-n Form and Call for Participation
Next by thread: Re: [Fwd: Revocation, etc...]
Index(es):
- Main
- Thread