A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

Anne & Lynn Wheeler lynn at garlic.com
Thu Feb 10 21:03:37 EST 2005 

Steven M. Bellovin wrote:
> "Unusual CA"?  I'm not sure what a *usual* CA is.
> 
> Just for fun, I opened up the CA list that came with my copy of 
> Firefox.  There are no fewer than 40 different entities listed, many of 
> whom have more than one certificate.  I personally know less than half 
> of them to be trustworthy -- and that's assuming that, say, Thawte, 
> Thawte Consulting, and Thawte Consulting cc are all the same company 
> and I can count that as three different ones.  I had no idea that that 
> the U.S. Postal Service had a CA that was trusted by my browser -- and 
> I dare say that many non-Americans wouldn't trust it at all, on the 
> assumption that it would do whatever the U.S. government told it to do. 

cylink had the contract ... bea had subcontract. usps was going to do 
some sort of in-person verification before issuing the certificate ... 
along the lines of US passports.
http://www.gcn.com/17_24/news/33918-1.html

this dates back to the days when the CA industry was floating business 
cases that there was going to be $100/annum x.509 identity certificate 
for every person in the country (the $20b/annum gift to the CA industry 
story).

there was some rumor that if the gov. wouldn't cough up the $20b/annum, 
then the financial industry was just chopping at the bit to turn over 
$20b/annum to certification authorities. there is a story from the 
period about an offer to a financial institution that if they would 
transmit a copy of the master account database of tens of millions of 
customers to the certification authority ... the certification authority 
would re-arrange the bits in each database entry into this magic format 
called a certificate and return the re-arranged magic bits to the 
financial institution at a mere $100/database entry (nominally overnight 
... but possibly actually several days, maybe only earning the CA a 
measely $1b/day of work).

this overlapped with the realization that identity certificates were 
composed at some point in the past w/o any knowledge of just what 
identity information any future relying parties might require .... as a 
result there was one strategy that it would be necessary to overload all 
identity certificate with every possibly piece of identity information 
so as to cover all possible requirements possibly needed by future 
unknown relying parties.

at the same time, the financial industry was realizing that identity 
certificates represented huge privacy and liability exposures ... and so 
you started to see retrenching by various parties (particularly the 
financial industry) to relying-party-only certificates. misc. past posts 
about relying-party-only certificates:
http://www.garlic.com/~lynn/subpubkey.html#rpo

The problem lurking in the background is that fundamentally, the 
certificate design-point is an offline paradigm in a situation where the 
relying-party has absolutely no recourse for obtaining information about 
the origin of the digital signature (so is reduced to operating with a 
letter-of-credit paradigm from the sailing ship era).

This fact was well highlighted in digitally signed payment scenario. A 
bank customer was issued a relying-party-only certificate by their 
financial institution (after registering their public key in the 
financial institution's account record). The customer would then create 
a payment authorization message, digitally sign the message and then 
transmit the message, the digital signature and the bank's 
relying-party-only certificate back to the bank. Since the bank already 
has the customer's public key on file, the first thing it does is 
discard the transmitted certificate and verifies the digital signature 
with the on-file public key.

Another minor annoyance was that typical digital certificate was 
nominally two orders of magnitude (one hundred times) larger than the 
typical 8583 payment message. So not only were the relying-party-only 
certificates redundant and superfluous ... its only apparent purpose was 
to increase transmission payload bloat by a factor of 100 times.

some past posts about browser trusted public key lists:
http://www.garlic.com/~lynn/aepay4.htm#comcert14 Merchant Comfort 
Certificates
http://www.garlic.com/~lynn/aepay4.htm#comcert16 Merchant Comfort 
Certificates
http://www.garlic.com/~lynn/2003l.html#27 RSA vs AES



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list