On May 28, 2007, at 6:18 AM, Ian G wrote:
Allen wrote:
Which lead me to the thought that if it is possible, what could be
done to reduce the risk of it happening?
It occurred to me that perhaps some variation of "separation of
duties" like two CAs located in different political environments
might be used to accomplish this by having each cross-signing the
certificate so that the compromise of one CA would trigger an
invalid certificate. This might work if the compromise of the CA
happened *after* the original certificate was issued, but what if
the compromise was long standing? Is there any way to accomplish
this?
What you are suggesting is called Web of Trust (WoT). That's what
the PGP world does, more or less, and I gather that the SPKI
concept includes it, too.
However, x.509 does not support it. There is no easy way to add
multiple signatures to an x.509 certificate without running into
support problems (that is, of course you can hack it in, but
browsers won't understand it, and developers won't support you).
I'm going to disagree with you a bit, Ian. If you take two X.509
certificates that contain the same public key, they are semantically
equivalent to an OpenPGP certificate with two signatures on the key.
PGP [1] does this; it takes public keys and images them into OpenPGP
and X.509 certificates, creating parallel structures.
Yes, most X.509-using software doesn't know diddly about multiple
certifications. In most cases, this doesn't matter, because you just
hand them one certificate they'll accept and they go on their merry
way. Yes, this introduces risk that Alan is talking about, but that's
*their* problem, not mine.
(Anecdote 1: I pushed all of the Ricardo financial transaction
stuff over to x.509 for a time in 1998, but when I discovered the
lack of multiple sigs, and a few other things, I was forced to go
back to PGP. Unfortunately, finance is fundamentally web of trust,
and hierarchical PKI concepts such as coded into x.509, etc, will
not work in that environment.)
This was nonetheless likely a wise engineering decision because
OpenPGP supports this directly, and in X.509 you have to create a lot
of software to recognize that a set of certificates belong together.
(Anecdote 2: over at CAcert they attempt to graft a web of trust on
to the PKI, and they sort of succeed. But the result is not truly
WoT, it is a hybrid, in that there is still only one sig on the
cert, and we are back to the scenario that you suggest.
Disclosure: I have something to do with CAcert...)
Bridge CAs are also a way of putting web-of-trust concepts into
hierarchical trust systems as well.
So as a practical matter, that which is known as x.509 PKI cannot
do this. For this reason, some critics have relabeled the CAs as
Centralised Vulnerability Parties (CVPs) instead of the more
familiar Trusted Third Parties (TTPs).
As a side note, outside the cryptography layer, there are legal,
contractual, customary defences against the attacks that you outline.
That I agree with completely. You cannot create trust with
cryptography, no matter how much cryptography you use. A good
jurisdiction trumps technology.
Jon
[1] PGP is a registered trademark of PGP Corporation and refers to
software that it produces. The PGP Software Products implement the
OpenPGP protocol standard, as well as several dialects of X.509. It
also implements S/MIME, TLS, and a variety of other standard and non-
standard protocols. Since I'm a founder and executive of that
company, I'm obligated to point this out periodically, despite the
irritation.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
