On Sat 5/26/2007 at 8:59 PM Allen [EMAIL PROTECTED] wrote: > Validating a digital signature requires getting the public key from > some source, like a CA, or a publicly accessible database and > decrypting the signature to validate that the private key associated > with the public key created the digital signature, or "open message." No. Usually the signer's certificate is included with the message so you don't go anywhere to get Alice's certificate, but you verify it against a trusted root. > > Which lead me to the thought of trust in the repository for the > public key. Here in the USA, there is a long history of behind the > scenes "cooperation" by various large companies with the forces of > the law, like the wiretap in the A&TT wire room, etc.
>From my perspective, the primary attack vector here is the Trusted Root CA list. If you can get the recipient to accept a new root, the forgery is pretty simple. If the end-user fails to validate the Trusted Root CA list and examine the certificate signature chain, then any trusted root CA could issue a cert with any "Subject" making any claim. And yes, being in the security business, I do check the certificate chain for my bank's on-line service before logging on. (I've also complained to them when they re-used a certificate from one host for another.) > What is to prevent this from happening at a CA and it not being > known for a lengthy period of time? Jurors have been suborned for > political reasons, why not CAs? Would you, could you trust a CA > based in a country with a low ethics standard or a low regard for > human rights? To some extent, CA's are all about policy. What steps were required to obtain a certificate? These vary from "I had control of an e-mail account at the time of certificate issuance." to "I've had my lawyer present a notarized copy of my letters of incorporation and 2 years of public financial statements". To me it's simple: Don't trust the root CA if you don't trust them to enforce their policies. Verisign has built a small business on this premise. -Piers --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]