Allen wrote:
Which lead me to the thought that if it is possible, what could be done
to reduce the risk of it happening?
It occurred to me that perhaps some variation of "separation of duties"
like two CAs located in different political environments might be used
to accomplish this by having each cross-signing the certificate so that
the compromise of one CA would trigger an invalid certificate. This
might work if the compromise of the CA happened *after* the original
certificate was issued, but what if the compromise was long standing? Is
there any way to accomplish this?
What you are suggesting is called Web of Trust (WoT).
That's what the PGP world does, more or less, and I gather
that the SPKI concept includes it, too.
However, x.509 does not support it. There is no easy way to
add multiple signatures to an x.509 certificate without
running into support problems (that is, of course you can
hack it in, but browsers won't understand it, and developers
won't support you).
(Anecdote 1: I pushed all of the Ricardo financial
transaction stuff over to x.509 for a time in 1998, but when
I discovered the lack of multiple sigs, and a few other
things, I was forced to go back to PGP. Unfortunately,
finance is fundamentally web of trust, and hierarchical PKI
concepts such as coded into x.509, etc, will not work in
that environment.)
(Anecdote 2: over at CAcert they attempt to graft a web of
trust on to the PKI, and they sort of succeed. But the
result is not truly WoT, it is a hybrid, in that there is
still only one sig on the cert, and we are back to the
scenario that you suggest. Disclosure: I have something to
do with CAcert...)
So as a practical matter, that which is known as x.509 PKI
cannot do this. For this reason, some critics have
relabeled the CAs as Centralised Vulnerability Parties
(CVPs) instead of the more familiar Trusted Third Parties
(TTPs).
As a side note, outside the cryptography layer, there are
legal, contractual, customary defences against the attacks
that you outline.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]