should you trust CAs? (Re: dual-use digital signature vulnerability)
Adam Back
adam at cypherspace.org
Fri Jul 30 17:54:56 EDT 2004
On Wed, Jul 28, 2004 at 10:00:01PM -0700, Aram Perez wrote:
> As far as I know, there is nothing in any standard or "good security
> practice" that says you can't multiple certificate for the same email
> address. If I'm willing to pay each time, Verisign will gladly issue me a
> certificate with my email, I can revoke it, and then pay for another
> certificate with the same email. I can repeat this until I'm bankrupt and
> Verisign will gladly accept my money.
Yes but if you compare this with the CA having the private key, you
are going to notice that you revoked and issued a new key; also the CA
will have your revocation log to use in their defense.
At minimum it is detectable by savy users who may notice that eg the
fingerprint for the key they have doesn't match with what someone else
had thought was their key.
> I agree with Michael H. If you trust the CA to issue a cert, it's
> not that much more to trust them with generating the key pair.
Its a big deal to let the CA generate your key pair. Key pairs should
be generated by the user.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list