at the NIST PKI workshop a couple months ago .... there were a number
of infrastructure presentations where various entities in the
infrastructure were ...signing random data as part of authentication protocol

I believe our paper may have been one of those that Lynn objected to. We used the same key for client-side TLS as well as for signing a delegation certificate. However (as we made sure to clarify in the revised paper for the final proceedings):

In SSL and TLS, the client isn't signing random data provided by the adversary. Rather, the client is signing a value derived from data both the client and server provide as part of the handshake. I do not believe it is feasible for a malicious server to choose its nonces so that the resulting signature be coincide with a valid signature on a delegation cert the client might have constructed.

(On the other hand, if we're wrong, I'm sure that will be pointed out repeatedly here in the next day or two :)


--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to