On Mon, May 18, 2020 at 7:55 PM Kyle Hamilton via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> A potential attack without Proof of Possession which PKIX glosses over
> could involve someone believing that a signature on a document combined
> with the non-possession-proved certificate constitutes proof of possession,
> and combined with external action which corroborates the contents of the
> document could heuristically evidence the authority to issue the document.
> (Yes, this would be a con job. But it would be prevented if CAs actually
> had the applicant prove possession of the private key.)

The problem with this attack is that it has no relevance to TLS and
server certificates. Which is important to understand, especially why
the omission is, as I stated, intentional.

I appreciate the appeal to theoretical purity of consistency among
PKIs, but comparing the needs of one PKI with the needs of another is
not a reasonable comparison to make. That same logical leap would have
all keys in HSMs in safes, or forbid keys from being in safes, both of
which we know are appropriate or inappropriate - depending on the use

> Regardless of that potential con, though, there is one very important thing
> which Proof of Possession is good for, regardless of whether any credible
> attacks are "enabled" by its lack: it enables identification of a situation
> where multiple people independently generate and possess the same keypair
> (such as what happened in the Debian weak-key fiasco). Regardless of how
> often it might be seen in the wild, the fact is that on every key
> generation there is a chance (small, but non-zero) that the same key will
> be generated again, probably by someone different than the person who
> originally generated it. (With bad implementations the chance gets much
> larger.)

This argument doesn't hold water. This is an argument not about proof
of possession about private key, but about the public key itself.
Multiple parties possessing the same key pair are revealed by the
public key. Proof of possession provides zero value.
dev-security-policy mailing list

Reply via email to