Ben Laurie writes: > If I have understood your description correctly it seems to me that this > is defeated if, rather than sharing the master certificate, the bad guy > allows their friend to proxy to them for whatever proofs are required. > That way they never have to give up the precious master cert, but the > friend's slave cert's still work.
That's a good point, proxies are another way to get around limitations on credential sharing. Attempts to embed sensitive secrets in credentials don't work because there are no sensitive secrets today. You could use credit card numbers or government ID numbers (like US SSN) but in practice such numbers are widely available to the black hat community. Someone getting a credential using a stolen identifier won't be deterred from sharing it, if the only deterrence is fear of the identifier becoming public. Blacklisting seems to me to be the only good solution, and in fact it is the one proposed for the only proposed deployment of this technology I am aware of, Direct Anonymous Attestation proposed for the Trusted Computing group, http://www.zurich.ibm.com/security/daa/ . This is based on the CL signatures I referenced earlier. Trusted Computing systems have a credential which they are supposed to show to prove they are legit. But if these showing instances are linkable it is a privacy violation. (In practice IP address is normally going to provide just as much linkability, so for the most part this is all political posturing IMO, but in principle this would let you authenticate over TOR and retain your privacy.) DAA provides optionally unlinkable credential showing and relies on blacklisting to counter credential sharing. Actually the credentialed keys are supposed to be protected by hardware, so this is a second layer of defense in case someone figures out how to extract them from the chips. I'm skeptical that this will actually go forward; we are all familiar with the arguments against Trusted Computing proposals. But it is still of theoretical interest as a case study for unlinkable credentials which might actually be fielded in the near future. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]