CFP: PKI research workshop
Carl Ellison
cme at jf.intel.com
Mon Jan 14 17:08:27 EST 2002
At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote:
>"Stef Caunter" <stefan.caunter at senecac.on.ca> writes:
>> Does a user of ssl services care to know absolutely that they are
>> communicating verifiably with whom they believe they have contacted, or does
>> the user care to know absolutely that their communication is completely
>> private?
>These are inextricably connected. If you want to know that
>your communications are private in the face of active attack
>you need to know who you're talking to as well.
Of course you do. That's why https://store.palm.com/ is such a problem. You thought you were talking to (and wanted to talk to) Palm Computing, just like the logos and page layout said you were. You're not. You're talking to a MITM. Palm hired them to run the store? The certificates don't say that.
[snip]
>> Why can't self-verification be promoted? Why can't an nslookup call be built
>> into certificate presentations?
>What are you talking about? An nslookup call wouldn't help anything.
>The essential problem is establishing that the public key you receive
>over the network actually belongs to the person you think it does.
>In the absence of a prior arrangement, the only way we know how
>to do this is to have that binding vouched for by a third-party.
Actually, Eric, the third party might confuse that for you. The function it performs with respect to naming is not totally unlike the function of early anonymizers. The TTP chooses a name to bind to the public key that might have only a tenuous relation to the name by which you know the keyholder. As a result, when you do a name comparison between the certificate Subject and what you know about this person, "the person you think it does", you may have to make a guess about whether the match is correct.
Here we spend all this effort to reduce the probability of error, in the cryptography, to values like 2^{-128} and then make the security decision depend just as much on a guess with a much greater probability of error. From the point of view of error probability, we should have left out the cryptographic part entirely.
- Carl
P.S. the workshop where we should (and probably will) be discussing this is http://www.cs.dartmouth.edu/~pki02/ and there are still two weeks before papers are due.
+--------------------------------------------------------+
|Carl Ellison Intel E: cme at jf.intel.com |
|2111 NE 25th Ave M/S JF3-212 T: +1-503-264-2900 |
|Hillsboro OR 97124 F: +1-503-264-6225 |
|PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 |
| 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240 |
+--------------------------------------------------------+
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list