Ben Bucksch wrote:
Duane wrote:
Ben Bucksch wrote:
When I say I want nobody to listen, I mean *nobody*.
Simply isn't possible with the PKI model...
I don't know of anything better for the general run of the mill joe
public that would be any better...
What about the model I proposed? First cert for a person is either
CA-based or self-signed, subsequent certs *must* be authorized and
signed by the previous cert or will be treated as attack.
Web of trust solves the "nobody" requirement, but
CA/PKI does not, in general, and neither does the
SSH model (more properly, opportunistic crypto).
In web of trust (WoT), both parties
communicate their fingerprints over other means
(generally phone or person to person) and then
sign each other's keys. From then on, they are
protected from all on-the-wire attacks (but they are
not protected if their nodes/keys are compromised).
This would be relatively easy to put into x.509 mail
agents from a conceptual pov, but there would need
to be some hackery, as the x.509 layout does not
support more than one signature on the cert. I.e.,
it does not support WoT.
(In your example above, the CA signature on the
cert is irrelevant, as you are starting from a
known key and using that to bootstrap comms. This
is the SSH model. But, you have to establish
what the known key is to both parties - hence, WoT.)
The only 2 problems I see are:
* Identify "person". People still change their email addresses, and
different people with the same name exist. Might be solvable with
help from user.
* People using certs, but being careless: Signing up to to one, then
deleting it, e.g. reinstalling their harddrive. What do I do as
recipient? Do I believe the story or not? Most people would, and
then they'd fall for the attack as well. But at least we turned a
technical attack, invisible to the user, into a social engineering
attack, which is much harder and can be prevented by
smart/knowledgable recipients.
All good crypto protocols are made of two parts,
the first part of which tells the second to "trust
this key completely."
In CA/PKI architecture, the CA is the first part,
and the CA tells the second part (SSL) to trust
keys signed by the CA completely. Thus, any issues
generally occur with reference to the CA.
* The CA defines what person is. They might do this
by demanding company docs, or in CACert's part, by
demanding three trusted OpenPGP sigs. If a person
changes its name (or email address), then she becomes
another "person" as far as the CA is concerned.
* If the person loses their cert, she has to go
back to the CA and get another.
(If it were a WoT system, then the user would
generate another key and exchange fingerprints
again.)
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
