CFP: PKI research workshop

Carl Ellison cme at jf.intel.com
Mon Jan 14 17:08:27 EST 2002 

At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote:
>"Stef Caunter" <stefan.caunter at senecac.on.ca> writes:
>> Does a user of ssl services care to know absolutely that they are
>> communicating verifiably with whom they believe they have contacted, or does
>> the user care to know absolutely that their communication is completely
>> private?
>These are inextricably connected. If you want to know that
>your communications are private in the face of active attack
>you need to know who you're talking to as well.

Of course you do.  That's why https://store.palm.com/ is such a problem.  You thought you were talking to (and wanted to talk to) Palm Computing, just like the logos and page layout said you were.  You're not.  You're talking to a MITM.  Palm hired them to run the store?  The certificates don't say that.

[snip]

>> Why can't self-verification be promoted? Why can't an nslookup call be built
>> into certificate presentations?
>What are you talking about? An nslookup call wouldn't help anything.
>The essential problem is establishing that the public key you receive
>over the network actually belongs to the person you think it does.
>In the absence of a prior arrangement, the only way we know how
>to do this is to have that binding vouched for by a third-party.


Actually, Eric, the third party might confuse that for you.  The function it performs with respect to naming is not totally unlike the function of early anonymizers.  The TTP chooses a name to bind to the public key that might have only a tenuous relation to the name by which you know the keyholder.  As a result, when you do a name comparison between the certificate Subject and what you know about this person, "the person you think it does", you may have to make a guess about whether the match is correct.

Here we spend all this effort to reduce the probability of error, in the cryptography, to values like 2^{-128} and then make the security decision depend just as much on a guess with a much greater probability of error.  From the point of view of error probability, we should have left out the cryptographic part entirely.

 - Carl

P.S. the workshop where we should (and probably will) be discussing this is http://www.cs.dartmouth.edu/~pki02/ and there are still two weeks before papers are due.



+--------------------------------------------------------+
|Carl Ellison      Intel             E: cme at jf.intel.com |
|2111 NE 25th Ave  M/S JF3-212       T: +1-503-264-2900  |
|Hillsboro OR 97124                  F: +1-503-264-6225  |
|PGP Key ID: 0xFE5AF240              C: +1-503-819-6618  |
|  1FDB 2770 08D7 8540 E157  AAB4 CC6A 0466 FE5A F240    |
+--------------------------------------------------------+




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list