[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 ACs vs. SPKI?

To: nisse@lysator.liu.se (Niels Möller )
Subject: Re: X.509 ACs vs. SPKI?
From: Tony Bartoletti <azb@llnl.gov>
Date: Wed, 26 May 1999 16:37:54 -0700
Cc: Ed Gerck <egerck@laser.cps.softex.br>, spki@c2.net
In-Reply-To: <nnr9o3h7gx.fsf@sanna.lysator.liu.se>
References: <Tony Bartoletti's message of "Wed, 26 May 1999 10:26:09 -0700"><3.0.3.32.19990526102609.00ad5690@poptop.llnl.gov>
Sender: owner-spki@c2.net

At 11:00 PM 5/26/99 +0200, Niels Möller wrote:
>But to "happen" to independently regenerate somebody elses _private_
>key is hard, as its equivalent to successfully breaking the public
>key, by guessing. And if you somehow manage to generate/guess the
>other person's key, we have some vastly more serious problems than
>non-uniqueness of identifiers.
>
>And the usual procedure is to consider that possiblity as small enough
>to be safely neglected.
>
>Or am I missing something?
>
>Regards,
>/Niels

No, you got it right.  I should have used (exceptional!) instead of
(exceptional?) but I suppose there are other avenues of attack.
If someone actually stole your secret key, they might have a new
cert produced with alternate attributes.  Thus keys (and key-hashes)
would be identical, yet the certs (and cert-hashes) differ.

The central issue of the posting was in the second paragraph.
Namely, (even given key-pair uniqueness) how far can one get
when the verifying party sees only the (authenticated) hash of
another key, rather than the authenticated hash of a certificate.

My (tentative) answer for SPKI was that key-hash is sufficient,
given that the verifier is the issuer, and is presumed to have
the corresponding (unique) certificate in hand already.

___tony___ 

Tony Bartoletti                                             LL
Center for Information Operations and Assurance          LL LL
Lawrence Livermore National Laboratory                LL LL LL
PO Box 808, L - 303                                   LL LL LL
Livermore, CA 94551-9900                              LL LL LLLLLLLL
phone: 925-422-3881   fax: 925-423-8002               LL LLLLLLLL
email: azb@llnl.gov                                   LLLLLLLL

Follow-Ups:

Re: X.509 ACs vs. SPKI?

From: Ed Gerck <egerck@laser.cps.softex.br>

References:

Re: X.509 ACs vs. SPKI?

From: Tony Bartoletti <azb@llnl.gov>

Re: X.509 ACs vs. SPKI?

From: nisse@lysator.liu.se (Niels Möller)

Prev by Date: Re: X.509 ACs vs. SPKI?
Next by Date: Re: X.509 ACs vs. SPKI?
Prev by thread: Re: X.509 ACs vs. SPKI?
Next by thread: Re: X.509 ACs vs. SPKI?
Index(es):
- Main
- Thread