Can we copy trust?
Ed Gerck
edgerck at nma.com
Tue Jun 3 13:05:47 EDT 2008
mheyman at gmail.com wrote:
> You don't have to trust the target site's self assertions about
> its own identity because you trust the root to only validate for sites
> that are what they claim to be.
From the viewpoint of the user (which is the viewpoint used by
Kelly), we see that trust can be copied when different users,
accessing different servers for the same domain, do not know that they
are using different copies of the /same/ SSL cert. In fact, no copy is
less of an original than the original itself!
We see that the trust relationship represented by that SSL cert can be
copied without any loss, as many times as you wish (for the possible
dismay of the CA). If the CA bit is set, trust can even be transferred
to multiple domains, and the trust represented by each such SSL cert
in each domain can be copied without limit as well.
As to another point of your comment, the problem most people have with
PKI is not that SSL does not work. SSL does not even need PKI.
The problem can be explained in terms of extent of trust. If you don't
define your extent of trust in a CA, for example in your acceptance
policy of records signed by certs from a CA, you may run into
difficulties. The difficulties are /solved/ (within your risk model)
when you correctly define the extent of trust -- rather than just
taking a "trust in all matters" attitude.
For example, even though I do not trust a CA's CRLs, I may trust that
CA to prevent rogue use of its private-key for signing end-user certs.
This trust, limited by this extent, can be used in automating use of
certs from that CA -- for example, only accept signatures from
end-user certs of that CA if the cert is less than 31 days old (or, 15
days -- whatever your risk model says).
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list