Welome to the Internet, here's your private key

Arnold G. Reinhold reinhold at world.std.com
Fri Feb 8 16:11:37 EST 2002 

At 5:12 PM +0100 2/8/02, Jaap-Henk Hoepman wrote:
>I think there _are_ good business reasons for them not wanting the users to
>generate the keys all by themselves. Weak keys, and subsequent 
>compromises, may
>give the CA really bad press and resulting loss of reputation (and this
>business is built on reputation anyway).

If the CA has nothing to do with key generation in the first place, 
I'm not sure how weak keys would affect the CA's reputation. "We had 
nothing to do with making that key, we just signed it" is a concept 
even the general public can understand. And the risk of weak keys 
seems small compared to the myriad ways a user's private key can be 
compromised.  If the CA has any access to private keys, any 
compromise can be blamed on the CA and diminish their reputation.

>So: there are good reasons not to
>let the CA generate the private key, but also good reasons to not let the user
>generate the keys all by himself.
>
>So the question is: are there key generation protocols for mutually 
>distrustful
>parties, that would give the CA the assurance that the key is generated using
>some good randomness (coming from the CA) and would give the user 
>the guarantee
>that his private key is truly private. Also, the CA should be able to verify
>later that the random data he supplied was actually used, but this should not
>give him (too much) advantage to find the private key.

It's hard to see how to establish a secure protocol between the 
user's machine and the CA without a good source of randomness on the 
user's machine in the first place.  You can't presume there's a 
shared secret.

Simply providing an applet or plug-in to generate keys would seem 
sufficient.  The CA could maintain a list of approved smart cards 
based on inspecting their source code.  They might even let approved 
smart card vendors embed a signing key in the smart card to let the 
CA know that the user key had been generated by an approved device. 
Such a system could be defeated but it's not clear why anyone would 
have the motivation to do so. If someone wants to create a 
compromised key incident, they merely have to leak a key.


Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list