A crazy thought?

Jon Callas jon at callas.org
Sun Jun 10 18:04:43 EDT 2007

On May 28, 2007, at 6:18 AM, Ian G wrote:

> Allen wrote:
>> Which lead me to the thought that if it is possible, what could be  
>> done to reduce the risk of it happening?
>> It occurred to me that perhaps some variation of "separation of  
>> duties" like two CAs located in different political environments  
>> might be used to accomplish this by having each cross-signing the  
>> certificate so that the compromise of one CA would trigger an  
>> invalid certificate. This might work if the compromise of the CA  
>> happened *after* the original certificate was issued, but what if  
>> the compromise was long standing? Is there any way to accomplish  
>> this?
> What you are suggesting is called Web of Trust (WoT). That's what  
> the PGP world does, more or less, and I gather that the SPKI  
> concept includes it, too.
> However, x.509 does not support it.  There is no easy way to add  
> multiple signatures to an x.509 certificate without running into  
> support problems (that is, of course you can hack it in, but  
> browsers won't understand it, and developers won't support you).

I'm going to disagree with you a bit, Ian. If you take two X.509  
certificates that contain the same public key, they are semantically  
equivalent to an OpenPGP certificate with two signatures on the key.  
PGP [1] does this; it takes public keys and images them into OpenPGP  
and X.509 certificates, creating parallel structures.

Yes, most X.509-using software doesn't know diddly about multiple  
certifications. In most cases, this doesn't matter, because you just  
hand them one certificate they'll accept and they go on their merry  
way. Yes, this introduces risk that Alan is talking about, but that's  
*their* problem, not mine.

> (Anecdote 1:  I pushed all of the Ricardo financial transaction  
> stuff over to x.509 for a time in 1998, but when I discovered the  
> lack of multiple sigs, and a few other things, I was forced to go  
> back to PGP.  Unfortunately, finance is fundamentally web of trust,  
> and hierarchical PKI concepts such as coded into x.509, etc, will  
> not work in that environment.)

This was nonetheless likely a wise engineering decision because  
OpenPGP supports this directly, and in X.509 you have to create a lot  
of software to recognize that a set of certificates belong together.

> (Anecdote 2: over at CAcert they attempt to graft a web of trust on  
> to the PKI, and they sort of succeed.  But the result is not truly  
> WoT, it is a hybrid, in that there is still only one sig on the  
> cert, and we are back to the scenario that you suggest.   
> Disclosure:  I have something to do with CAcert...)

Bridge CAs are also a way of putting web-of-trust concepts into  
hierarchical trust systems as well.

> So as a practical matter, that which is known as x.509 PKI cannot  
> do this.  For this reason, some critics have relabeled the CAs as  
> Centralised Vulnerability Parties (CVPs) instead of the more  
> familiar Trusted Third Parties (TTPs).
> As a side note, outside the cryptography layer, there are legal,  
> contractual, customary defences against the attacks that you outline.

That I agree with completely. You cannot create trust with  
cryptography, no matter how much cryptography you use. A good  
jurisdiction trumps technology.


[1] PGP is a registered trademark of PGP Corporation and refers to  
software that it produces. The PGP Software Products implement the  
OpenPGP protocol standard, as well as several dialects of X.509. It  
also implements S/MIME, TLS, and a variety of other standard and non- 
standard protocols. Since I'm a founder and executive of that  
company, I'm obligated to point this out periodically, despite the  

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list