On Wed, 28 Jul 2010 15:16:32 +0100 Ben Laurie <b...@google.com> wrote:
> On 28 July 2010 15:05, Perry E. Metzger <pe...@piermont.com> wrote:
> > On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie <b...@links.org> wrote:
> >>
> >> And still needs revocation.
> >
> > Does it?
> >
> > I will point out that many security systems, like Kerberos,
> > DNSSEC and SSH, appear to get along with no conventional notion
> > of revocation at all
> Maybe it doesn't, but no revocation mechanism at all makes me
> nervous.

I think that is because you are thinking in terms of certificates,
which naturally would require such a mechanism.

> I don't know Kerberos well enough to comment.

In kerberos, tickets are short lived -- one can simply fail to give
the person who stole a credential new ones, and in the interim, one
can remove the authorization that a particular principal has.

> DNSSEC doesn't have revocation but replaces it with very short
> signature lifetimes (i.e. you don't revoke, you time out).

Yes. Precisely.

> SSH does appear to have got away without revocation, though the
> nature of the system is s.t. if I really wanted to revoke I could
> almost always contact the users and tell them in person.

No, that's not what SSH does, or rather, it confuses the particular
communications channel (i.e. some out of band mechanism) with the
method that actually de-authorizes the key.

The point is that in SSH, if a key is stolen, you remove it from the
list of keys allowed to log in to a host. The key now need never be
thought about again. We require no list of "revoked keys" be kept,
just as we required no signed list of keys that were authorized. We
just had some keys in a database to indicate that they were
authorized, and we removed a key to de-authorize it.

> This doesn't scale very well to SSL-style systems.

I believe it does scale. Pretty much by definition, if you can get to
a web site, your Internet connectivity is working. That means that
there is no need for methods like having a signed key that lasts for
years so you can cache it for offline use.

I'm sure you remember the 1960s and 1970s well, as we are both a bit
past our youth. In the US, at least, every store clerk had in their
hands an unwieldy, telephone-book sized list of stolen credit card
numbers they had to consult at each credit card transaction. In those
days, there were no cheap modems and doing on-line verification was

The whole point of Kohnfelder's thesis was, in effect, to turn the
1970s era books of stolen numbers into an offline machine readable
list. You signed a long-lived credential so that it could be checked
offline, and you kept a big book of withdrawn credentials around so
you could check them offline as well. It was a model from the era in
which everyone had a paper phone book. It was designed for the era
where networks were a rarity.

We no longer live in that era. The models used by Kerberos, DNSSEC,
SSH, and such, make far more sense. We no longer need revocation.

Perry E. Metzger                pe...@piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to