Lie in X.BlaBla...

Enzo Michelangeli em at who.net
Sun Jun 3 22:51:36 EDT 2001 

----- Original Message -----
From: "Greg Broiles" <gbroiles at well.com>
To: <jamesd at echeque.com>; "Enzo Michelangeli" <em at em.no-ip.com>
Cc: <cryptography at wasabisystems.com>
Sent: Monday, June 04, 2001 2:00 AM
Subject: Re: Lie in X.BlaBla...


[...]
> It does no such thing. The law criminalizes the following -
>
> (1) Knowingly misrepresenting one's identity or authorization to obtain a
> certificate which refers to a private key for creating signatures (Sec.
1(1))
>
> (2) Knowingly forge a digital signature (Sec. 1(2)), which means -
>          (a) creating a digital signature without the authorization of the
> rightful holder of the private key
>          (b) creating a digital signature verifiable by a certificate
> listing as a subscriber a person who -             (i) does not exist
>                  (ii) does not hold the private key corresponding to the
> public key listed in the certificate
>          (RCW 19.34.020 (16))
>
> (3) Knowingly present a certificate for which you are not the owner of the
> corresponding private key, IN ORDER TO OBTAIN UNAUTHORIZED ACCESS TO
> INFORMATION OR ENGAGE IN AN UNAUTHORIZED TRANSACTION. (Sec. 1(3), emphasis
> added because it's apparently common to stop reading halfway through that
> sentence)

OK, so excuse me for being dense, but how exactly can such attack be
perpetrated? No sane authorization system bases authentication on the mere
presentation of the certificate: one must have the corresponding private
key. So, does this section of the law intend to punish misappropriation of
private key? Fine, but then it could just say so, better if stating in
general terms: "Using stolen or otherwise unlawfully obtained information to
gain unauthorized access to information or engage in an unauthorized
transaction". This would also cover other cases (is it perhaps OK to tamper
maliciously with Kerberos tickets or to steal a login password?) also
including non-electronic forms of identity theft.

Talking of which, theft and fraud are ALREADY offences, regardless
of the context, and I see no point in creating additional statute.

Enzo














---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list