On Mon, May 18, 2020 at 7:55 PM Kyle Hamilton via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > A potential attack without Proof of Possession which PKIX glosses over > could involve someone believing that a signature on a document combined > with the non-possession-proved certificate constitutes proof of possession, > and combined with external action which corroborates the contents of the > document could heuristically evidence the authority to issue the document. > (Yes, this would be a con job. But it would be prevented if CAs actually > had the applicant prove possession of the private key.)
The problem with this attack is that it has no relevance to TLS and server certificates. Which is important to understand, especially why the omission is, as I stated, intentional. I appreciate the appeal to theoretical purity of consistency among PKIs, but comparing the needs of one PKI with the needs of another is not a reasonable comparison to make. That same logical leap would have all keys in HSMs in safes, or forbid keys from being in safes, both of which we know are appropriate or inappropriate - depending on the use case. > Regardless of that potential con, though, there is one very important thing > which Proof of Possession is good for, regardless of whether any credible > attacks are "enabled" by its lack: it enables identification of a situation > where multiple people independently generate and possess the same keypair > (such as what happened in the Debian weak-key fiasco). Regardless of how > often it might be seen in the wild, the fact is that on every key > generation there is a chance (small, but non-zero) that the same key will > be generated again, probably by someone different than the person who > originally generated it. (With bad implementations the chance gets much > larger.) This argument doesn't hold water. This is an argument not about proof of possession about private key, but about the public key itself. Multiple parties possessing the same key pair are revealed by the public key. Proof of possession provides zero value. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy