[Cryptography] Certificates and PKI

Benjamin Kreuter brk7bx at virginia.edu
Mon Dec 22 16:23:51 EST 2014 

On Mon, 2014-12-22 at 13:32 +0000, Ben Laurie wrote:

> Pinning does indeed not care who signed the certificate. However, it
> introduces an apparently insurmountable problem: what happens when you
> lose your key? And, to be clear, by "lose", I mean, "no longer have
> access to". It seems that your website is then unavailable for
> whatever the pin expiry time is. We don't think that's acceptable, nor
> fixable without introducing some entity with essentially the same role
> as a CA.

How is a key any different from all the files and databases websites
need to maintain backups for?  I think this is a tooling problem more
than anything else:  make it easy to back up keys, and this is less of
a problem.

> Dealing with leaked (i.e. usable by someone other than you) keys is
> also problematic - how do you ever regain control of your domain if
> you've ever had it taken over by a bad guy?

Is this a worse situation than what we face with the PKI?  Right now if
my key is leaked, I am in trouble.  I am also in trouble if any CA key
is leaked, even if I take every precaution with my own key.

I am not sure this problem is necessarily insurmountable.  If I still
have access to my leaked key, I can use it to sign a new key -- such a
mechanism would be necessary anyway.  Yes the attacker can also issue a
new key and trick users who are already being attacked, but at least the
attacker cannot do anything more than that (I can stop the attacker from
compromising more users).  Sure, even after the attack is done users who
were attacked will lose access until the pin expiration, which makes
attacks somewhat more damaging, but in return we would not be reliant on
CAs.

> However, I do wonder how people think a practical system with no
> CA-like entities is supposed to work?

It is supposed to work like SSH.  Yes, it is possible to be compromised
by an active attacker with SSH, but there is only a small window of
opportunity for the attacker.  Not many people actually check SSH keys
when they log in for the first time, yet there are few reports of
successful MITM attacks on SSH despite its widespread use and the high
value of many SSH targets.

One of the advantages of the SSH approach is that it makes hiding MITM
attacks difficult.  The only way to know if a user will be warned is to
actually try the attack; if the attack fails the user will be warned.
Compare that to a system with a CA-like entity, where you can compromise
the CA and thus guarantee that your attack will not result in any
warnings.

> > How can we get the browser makers to stop buying in to the PKI
> > fiction that does little except keep the CA business model alive?
> 
> Propose an actual workable alternative would be a good first step.

What we have now is not really working, so instead of asking for a
"workable" alternative perhaps we should ask for a "better" alternative.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141222/e192dfe6/attachment.sig>

More information about the cryptography mailing list