should you trust CAs? (Re: dual-use digital signature vulnerability)
Anne & Lynn Wheeler
lynn at garlic.com
Wed Jul 28 16:35:42 EDT 2004
At 12:09 PM 7/28/2004, Adam Back wrote:
>The difference is if the CA does not generate private keys, there
>should be only one certificate per email address, so if two are
>discovered in the wild the user has a transferable proof that the CA
>is up-to-no-good. Ie the difference is it is detectable and provable.
>
>If the CA in normal operation generates and keeps (or claims to
>delete) the user private key, then CA misbehavior is _undetectable_.
>
>Anyway if you take the WoT view, anyone who may have a conflict of
>interest with the CA, or if the CA or it's employees or CPS is of
>dubious quality; or who may be a target of CA cooperation with law
>enforcement, secrete service etc would be crazy to rely on a CA. WoT
>is the answer so that the trust maps directly to the real world trust.
>(Outsourcing trust management seems like a dubious practice, which in
>my view is for example why banks do their own security,
>thank-you-very-much, and don't use 3rd party CA services).
>
>In this view you use the CA as another link in the WoT but if you have
>high security requirements you do not rely much on the CA link.
in the case of SSL domain name certificates ... it may just mean that
somebody has been able to hijack the domain name ... and produce enuf
material that convinces the CA to issue a certificate for that domain name.
recent thread in sci.crypt
http://www.garlic.com/~lynn/2004h.html#28 Convince me that SSL
certificates are not a big scam
the common verification used for email address certificates (by
certification authorities) ... is to send something to that email address
with some sort of "secret" instructions. so the threat model is some sort
of attack on email from the CA ... snarf the user's ISP/webmail password
and intercept the CA verification email. (it simply falls within all the
various forms of identity theft ... and probably significantly simpler than
getting a fraudulent driver's license). with the defense that it is
possibly another form of identity theft .... say you ever actually stumbled
across such a fraudulently issued certificate .... it would probably be
difficult to prove whether or not the certification authority was actually
involved in any collusion. even discounting that there is no inter-CA
certificate duplicate issuing verification .... there are enuf failure
scenarios for public/private keys .... that somebody could even convince
the same CA to issue a new certificate for the same email address (even
assuming that they bothered to check)
-
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list