At 6:18 PM -0500 2/5/02, Ryan McBride wrote: >On Tue, Feb 05, 2002 at 11:16:40AM -0800, Bill Frantz wrote: >> I expect you could initialize the random data in that memory during >> manufacture with little loss of real security. (If you are concerned about >> the card's manufacturer, then you have bigger problems. If anyone does, >> the manufacturer has the necessary equipment to extract data from secret >> parts of the card, install Trojans etc.) > >"They say a secret is something you tell one other person" > -- U2, "The Fly" > >While it is true that most users of smartcards will choose to simply >trust the manufacturer, paranoid users could use a n choose m type of >approach to achieve a certain level of assurance. In most cases >verifying that a card is trojan free is a destructive process, so the >user would test a relatively low percentage of cards and make the >penalty for cheating high enough to ensure that the manufacturer stays >honest.
One criteria for a cryptographic system that is rarely mentioned is auditability. To the maximum extent possible users should be able to verify every component of the system that affects security. We have gotten too used to systems so bloated that they no one can know what's in them. There are historic reasons for this but that is no excuse. Finding out how to simplify systems is far more important today than designing the next great cipher. A great virtue of doing all crypto on a smart card is that they can be verified, at least with some effort. >Having the manufacturer provide the random data changes the burden of >proof drastically - there is no way for to _prove_ that they did not >retain a copy of the random data, while it can be proved that they did >not try to cheat simply by testing all the cards. And creates a potential legal liability for the smart card manufacturer. This gets to the original question of this thread. I wonder why the CA's lawyers let them generate private keys themselves. If it ever came out that private keys were misused by CA employees or even someone who penetrated their security, they would be legally defenseless, all the gobbledygook in their practice statements not withstanding. There is no good business reason for a CA to generate private keys and very powerful business reasons for them not to. Arnold Reinhold --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]