How many wrongs do you need to make a right?
Steven M. Bellovin
smb at cs.columbia.edu
Wed Aug 17 12:18:21 EDT 2005
In message <87u0hoae7y.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>* Steven M. Bellovin:
>
>> In message <87br3wdal7.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>>
>>>
>>>Can't you strip the certificates which have expired from the CRL? (I
>>>know that with OpenPGP, you can't, but that's a different story.)
>>>
>>>OTOH, I wouldn't be concerned by the file size, although it's
>>>certainly annoying. I would be really worried that the contents of
>>>that CRL leaks sensitive information. At least from a privacy point
>>>of view, this is a big, big problem, especially if you include some
>>>indication which allows you to judge the validity of old signatures.
>>>
>>
>> One can easily conceive of schemes that don't have such problems, such
>> as simply publishing the hash of revoked certificates, or using a Bloom
>> filter based on the hashes.
>
>This doesn't completely eliminate the data leak, as a long as the
>certificates were used in end-to-end communications. Analysis for
>relative outsiders becomes harder, though.
>
Details matter. If two parties do a DH exchange before sending their
certificates, it would take an active attack. In many protocols, one
party authenticates first, thereby preventing an active attack on the
other.
But any CRL scheme exposes knowledge of a compromise to a corrupt
insider -- and they're often the primary party from whom you want to
keep such information.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list