should you trust CAs? (Re: dual-use digital signature vulnerability)

Adam Back adam at cypherspace.org
Wed Jul 28 14:09:03 EDT 2004


The difference is if the CA does not generate private keys, there
should be only one certificate per email address, so if two are
discovered in the wild the user has a transferable proof that the CA
is up-to-no-good.  Ie the difference is it is detectable and provable.

If the CA in normal operation generates and keeps (or claims to
delete) the user private key, then CA misbehavior is _undetectable_.

Anyway if you take the WoT view, anyone who may have a conflict of
interest with the CA, or if the CA or it's employees or CPS is of
dubious quality; or who may be a target of CA cooperation with law
enforcement, secrete service etc would be crazy to rely on a CA.  WoT
is the answer so that the trust maps directly to the real world trust.
(Outsourcing trust management seems like a dubious practice, which in
my view is for example why banks do their own security,
thank-you-very-much, and don't use 3rd party CA services).

In this view you use the CA as another link in the WoT but if you have
high security requirements you do not rely much on the CA link.

Adam

On Wed, Jul 28, 2004 at 11:15:16AM -0400, Michael_Heyman at McAfee.com wrote:
> I would like to point out that whether or not a CA actually has the
> private key is largely immaterial because it always _can_ have the
> private key - a CA can always create a certificate for Alice whether or
> not Alice provided a public key.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list