dual-use digital signature vulnerabilityastiglic at okiok.com
Anne & Lynn Wheeler
lynn at garlic.com
Sun Jul 25 15:41:56 EDT 2004
At 07:07 PM 7/24/2004, Peter Gutmann wrote:
>A depressing number of CAs generate the private key themselves and mail out to
>the client. This is another type of PoP, the CA knows the client has the
>private key because they've generated it for them.
one could claim that there might be two possible useage scenarios,
involving two different thread models: encryption and authentication.
from a business standpoint the encryption of corporate data (especially
data at rest .... which might include some of the corporate jewels) can
represent single point of failures ... if private key is required for the
recovery of corporate jewels and the private key isn't reliably replicated
(to avoid single points of failure); then there is a serious, corporate,
overriding availability threat.
the claim can be made that the trade-off for authentication and digital
signature would result in no escrow or replication of private key ....
since the overriding threat model is a) impersonation and/or b) not being
able to reliably attribute certain actions to specific people.
the assertion here is possible threat model confusion when the same exact
technology is used for two significantly different business purposes.
.... in general, no key escrow or no key replication is frequently bad in
the encryption business process scenario
... while no key escrow or no key replication is good in the
authentication/digital signature business process scenario.
a problem arises when the business purpose uses of the public/private key
pair isn't sufficiently described ... leading to confusion (and/or the same
public/private key pair are used for different business processes with
possibly conflicting threat models).
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list