A crazy thought?
jon at callas.org
Sun Jun 10 18:04:43 EDT 2007
On May 28, 2007, at 6:18 AM, Ian G wrote:
> Allen wrote:
>> Which lead me to the thought that if it is possible, what could be
>> done to reduce the risk of it happening?
>> It occurred to me that perhaps some variation of "separation of
>> duties" like two CAs located in different political environments
>> might be used to accomplish this by having each cross-signing the
>> certificate so that the compromise of one CA would trigger an
>> invalid certificate. This might work if the compromise of the CA
>> happened *after* the original certificate was issued, but what if
>> the compromise was long standing? Is there any way to accomplish
> What you are suggesting is called Web of Trust (WoT). That's what
> the PGP world does, more or less, and I gather that the SPKI
> concept includes it, too.
> However, x.509 does not support it. There is no easy way to add
> multiple signatures to an x.509 certificate without running into
> support problems (that is, of course you can hack it in, but
> browsers won't understand it, and developers won't support you).
I'm going to disagree with you a bit, Ian. If you take two X.509
certificates that contain the same public key, they are semantically
equivalent to an OpenPGP certificate with two signatures on the key.
PGP  does this; it takes public keys and images them into OpenPGP
and X.509 certificates, creating parallel structures.
Yes, most X.509-using software doesn't know diddly about multiple
certifications. In most cases, this doesn't matter, because you just
hand them one certificate they'll accept and they go on their merry
way. Yes, this introduces risk that Alan is talking about, but that's
*their* problem, not mine.
> (Anecdote 1: I pushed all of the Ricardo financial transaction
> stuff over to x.509 for a time in 1998, but when I discovered the
> lack of multiple sigs, and a few other things, I was forced to go
> back to PGP. Unfortunately, finance is fundamentally web of trust,
> and hierarchical PKI concepts such as coded into x.509, etc, will
> not work in that environment.)
This was nonetheless likely a wise engineering decision because
OpenPGP supports this directly, and in X.509 you have to create a lot
of software to recognize that a set of certificates belong together.
> (Anecdote 2: over at CAcert they attempt to graft a web of trust on
> to the PKI, and they sort of succeed. But the result is not truly
> WoT, it is a hybrid, in that there is still only one sig on the
> cert, and we are back to the scenario that you suggest.
> Disclosure: I have something to do with CAcert...)
Bridge CAs are also a way of putting web-of-trust concepts into
hierarchical trust systems as well.
> So as a practical matter, that which is known as x.509 PKI cannot
> do this. For this reason, some critics have relabeled the CAs as
> Centralised Vulnerability Parties (CVPs) instead of the more
> familiar Trusted Third Parties (TTPs).
> As a side note, outside the cryptography layer, there are legal,
> contractual, customary defences against the attacks that you outline.
That I agree with completely. You cannot create trust with
cryptography, no matter how much cryptography you use. A good
jurisdiction trumps technology.
 PGP is a registered trademark of PGP Corporation and refers to
software that it produces. The PGP Software Products implement the
OpenPGP protocol standard, as well as several dialects of X.509. It
also implements S/MIME, TLS, and a variety of other standard and non-
standard protocols. Since I'm a founder and executive of that
company, I'm obligated to point this out periodically, despite the
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography