A crazy thought?

Ian G iang at systemics.com
Mon May 28 09:18:24 EDT 2007 

Allen wrote:

> Which lead me to the thought that if it is possible, what could be done 
> to reduce the risk of it happening?
> 
> It occurred to me that perhaps some variation of "separation of duties" 
> like two CAs located in different political environments might be used 
> to accomplish this by having each cross-signing the certificate so that 
> the compromise of one CA would trigger an invalid certificate. This 
> might work if the compromise of the CA happened *after* the original 
> certificate was issued, but what if the compromise was long standing? Is 
> there any way to accomplish this?


What you are suggesting is called Web of Trust (WoT). 
That's what the PGP world does, more or less, and I gather 
that the SPKI concept includes it, too.

However, x.509 does not support it.  There is no easy way to 
add multiple signatures to an x.509 certificate without 
running into support problems (that is, of course you can 
hack it in, but browsers won't understand it, and developers 
won't support you).

(Anecdote 1:  I pushed all of the Ricardo financial 
transaction stuff over to x.509 for a time in 1998, but when 
I discovered the lack of multiple sigs, and a few other 
things, I was forced to go back to PGP.  Unfortunately, 
finance is fundamentally web of trust, and hierarchical PKI 
concepts such as coded into x.509, etc, will not work in 
that environment.)

(Anecdote 2: over at CAcert they attempt to graft a web of 
trust on to the PKI, and they sort of succeed.  But the 
result is not truly WoT, it is a hybrid, in that there is 
still only one sig on the cert, and we are back to the 
scenario that you suggest.  Disclosure:  I have something to 
do with CAcert...)

So as a practical matter, that which is known as x.509 PKI 
cannot do this.  For this reason, some critics have 
relabeled the CAs as Centralised Vulnerability Parties 
(CVPs) instead of the more familiar Trusted Third Parties 
(TTPs).

As a side note, outside the cryptography layer, there are 
legal, contractual, customary defences against the attacks 
that you outline.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list