[Cryptography] Client certificates as a defense against MITM attacks

[Bill Frantz]

On 3/16/14 at 3:49 PM, cryptography at dukhovni.org (Viktor 
Dukhovni) wrote:

>We might recognize the fact that introduction and key continuity
>are potentially separate problems.  After DNSSEC + DANE act as an
>introducer of strangers, where a TTP is largely unavoidable, we
>might from that point on use ideas along the lines of:
>
>https://tools.ietf.org/html/draft-perrin-tls-tack-02
>
>to make network MITM considerably more difficult.  The main difficulty
>is that with domains key continuity cannot be assured.  Domains
>are sometimes transferred to new owners, and in those cases it is
>not clear whether the new owner's keys will be signed by the previous
>owner.
>
>This means that automated lights-out applications (say MTA to MTA
>email) can't rely on Tack working indefinitely for all domains, and
>some process for handing re-keying on domain transfer needs to be
>designed that does not immediate bring back the MITM risks that
>Tack is designed to avoid.

There is a way to do rekeying easily. You use a trusted key, 
whether it's the key remembered by the application, or the key 
whose hash is passed along with the URL as an authenticator, or 
some other scheme as a "CA" which can sign shorter lived keys 
which are used for signing the session initiation data (ala 
TLS). It is the identity of this trusted key which remembered. 
This is kind of a mini-CA model where the CA and the sub-keys 
are controlled by the same organization.

I don't know if PKIX can support this use. They have a CA sign 
keys which aren't permitted to sign sub-keys. Probably another 
epicycle could be invented to make this usage work with CAs though.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I don't have high-speed      | Periwinkle
(408)356-8506      | internet. I have DSL.        | 16345 
Englewood Ave
www.pwpconsult.com |                              | Los Gatos, 
CA 95032