A mighty fortress is our PKI

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Jul 27 10:11:15 EDT 2010


Paul Tiemann <paul.tiemann.usenet at gmail.com> writes:

>[...]

This is kind of a long message to reply to so I'll just post a meta-reply to
avoid getting bogged down in nitpicking, the message, as the subject line
indicated, was intended to start a discussion on some of the weaknesses
inherent in the SSL and commercial PKI model.  I consciously worded it to
avoid mentioning any CA names, and only mentioned Edgecast because it was
impossible not to (I had to provide a URL for the cert), and even then
included a disclaimer that it wasn't a criticism of Edgecast.  I actually
agree with a lot of the points made in the response, since this wasn't a
failing of Edgecast or a CA but a problem in the way SSL's PKI (or more
generally just PKI as a whole) works.  Because it was designed for the
purposes of authenticating a single user to the global X.500 directory it
really doesn't have any provision for Sybil certs (I'm going to keep calling
them that because we need some sort of label for them :-).

The intent with posting it to the list was to get input from a collection of
crypto-savvy people on what could be done.  The issue had previously been
discussed on a (very small) private list, and one of the members suggested I
post it to the cryptography list to get more input from people.  The follow-up
message (the "Part II" one) is in a similar vein, a summary of a problem and
then some starters for a discussion on what the issues might be.

So a general response to the several "well, what would you do?" questions is
"I'm not sure, that's why I posted this to the list".  For example should an
SSL cert be held to higher standards than the server it's hosted on?  In other
words if it's easier to compromise a CDN host or (far more likely) a web app
on it, does it matter if you're using a Sybil cert?  I have no idea, and I'm
open to arguments for and against.

>I've spoken with my contacts at Edgecast, and they expressed that they're
>very willing to consider alternate approaches.

I'm not actually sure what the "fix" would be for this, or even if there is a
fix that needs to be made.  Thus the hope to get it discussed on the list.

(Oh, and a comment on the XS* bit, that was based on an earlier off-list
discussion on messing with Firefox' same-origin policy protection mechanism
and isn't relevant here, the real issue is the more obvious one of a single
cert acting for large numbers of totally unrelated domains with very different
security requirements).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list