dual-use digital signature vulnerabilityastiglic at okiok.com

[Michael_Heyman at McAfee.com]

> From: owner-cryptography at metzdowd.com 
> [mailto:owner-cryptography at metzdowd.com] On Behalf Of Peter Gutmann
> Sent: Saturday, July 24, 2004 9:07 PM
> [SNIP]
> A depressing number of CAs generate the private key 
> themselves and mail out to the client.
>
Replies to this talked about business cases to have control of the
private key not only under the identity upheld by the certificate.

I would like to point out that whether or not a CA actually has the
private key is largely immaterial because it always _can_ have the
private key - a CA can always create a certificate for Alice whether or
not Alice provided a public key.

Whether or not Alice has complete control over her private key makes no
difference to Bob. If the CA works properly, Bob and Alice can have a
authenticated and private communications. If the CA is compromised (or
inherently malicious), Bob will think he is having authenticated and
private communications with Alice but will actually have it with an
agent of the CA's choosing. This is the way the system was designed. Bob
trusts the CA to provide for authenticated and private communications
with Alice.

<2 cents>In the business cases pointed out where it is good that the
multiple parties hold the private key, I feel the certificate should
indicate that there are multiple parties so that Bob can realize he is
having authenticated and private communications with Alice _and_ Alice's
employer. X.509 does not provide a standard way to encode multiple
subjects.</2 cents>

-Michael Heyman

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com