On Wed, 28 Jul 2010 15:16:32 +0100 Ben Laurie <b...@google.com> wrote: > On 28 July 2010 15:05, Perry E. Metzger <pe...@piermont.com> wrote: > > On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie <b...@links.org> wrote: > >> > >> And still needs revocation. > > > > Does it? > > > > I will point out that many security systems, like Kerberos, > > DNSSEC and SSH, appear to get along with no conventional notion > > of revocation at all > > Maybe it doesn't, but no revocation mechanism at all makes me > nervous.
I think that is because you are thinking in terms of certificates, which naturally would require such a mechanism. > I don't know Kerberos well enough to comment. In kerberos, tickets are short lived -- one can simply fail to give the person who stole a credential new ones, and in the interim, one can remove the authorization that a particular principal has. > DNSSEC doesn't have revocation but replaces it with very short > signature lifetimes (i.e. you don't revoke, you time out). Yes. Precisely. > SSH does appear to have got away without revocation, though the > nature of the system is s.t. if I really wanted to revoke I could > almost always contact the users and tell them in person. No, that's not what SSH does, or rather, it confuses the particular communications channel (i.e. some out of band mechanism) with the method that actually de-authorizes the key. The point is that in SSH, if a key is stolen, you remove it from the list of keys allowed to log in to a host. The key now need never be thought about again. We require no list of "revoked keys" be kept, just as we required no signed list of keys that were authorized. We just had some keys in a database to indicate that they were authorized, and we removed a key to de-authorize it. > This doesn't scale very well to SSL-style systems. I believe it does scale. Pretty much by definition, if you can get to a web site, your Internet connectivity is working. That means that there is no need for methods like having a signed key that lasts for years so you can cache it for offline use. I'm sure you remember the 1960s and 1970s well, as we are both a bit past our youth. In the US, at least, every store clerk had in their hands an unwieldy, telephone-book sized list of stolen credit card numbers they had to consult at each credit card transaction. In those days, there were no cheap modems and doing on-line verification was impossible. The whole point of Kohnfelder's thesis was, in effect, to turn the 1970s era books of stolen numbers into an offline machine readable list. You signed a long-lived credential so that it could be checked offline, and you kept a big book of withdrawn credentials around so you could check them offline as well. It was a model from the era in which everyone had a paper phone book. It was designed for the era where networks were a rarity. We no longer live in that era. The models used by Kerberos, DNSSEC, SSH, and such, make far more sense. We no longer need revocation. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
