On 16/12/12 11:47 AM, Adam Back wrote:
(note the tidy email editing, Ben, and other blind top posters to massive
email threads :)
See inlne.
On Sun, Dec 16, 2012 at 10:52:37AM +0300, ianG wrote:
[...] we want to prove that a certificate found in an MITM was in the
chain
or not.
But (4) we already have that, in a non-cryptographic way. If we find
a certificate that is apparently signed by say VeriSign root and was
found in an MITM, we can simply publish it with the facts. Verisign
are then encouraged to disclose (a) it was ours, (b) it wasn't ours,
or (c) mmmmummm...
Verisign cant claim it wasnt theirs because the signing CA it will be
signed
by one of their roots, or a sub-CA thereof.
Just to nitpick on this point, a CA certainly can claim that they or an
agent did not sign a certificate. And, they can provide the evidence,
and should have the ability to do this: CAs internally have logs as to
what they did or did not sign, and this is part of their internal process.
This is because the real world doesn't trust the cryptographic evidence
on the face of it, we always need to go back to an independent
verification of some form - a further point against Ben's proposal.
As a case in point, the spear phishing attack that occurred a couple of
years back is now thought to be a case of attacker-forged certs, with no
signing action by the CA. In this case, all of the implicated attacks
involved 512 bit RSA signing, suggesting easy solutions.
http://wiki.cacert.org/Risk/History#h2011.4
As I say, just a nitpick - the main point is that we can demand facts
and then use those fact to assemble a picture of where the risks lie.
Which you admirably show. If the CA declines to play, that's just
another fact.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
