At Fri, 25 Jul 2008 07:43:06 -0400,
Bruce Lowekamp wrote:
>
>
>
> Eric Rescorla wrote:
> > At Thu, 24 Jul 2008 17:09:17 -0400,
> > Bruce Lowekamp wrote:
> >> Cullen Jennings wrote:
> >>> This issues is brought up in section 7.1
> >>> _______________________________________________
> >>> P2PSIP mailing list
> >>> [email protected]
> >>> https://www.ietf.org/mailman/listinfo/p2psip
> >>>
> >> For those who haven't looked, the question is whether we need to include
> >> the signer's identity in the data signature input. The draft currently
> >> does not. I'm not aware of any reason to do so (assuming reasonble
> >> numbers of bits being used for the keys).
> >
> > So, the usual rationale here is to prevent substitution attacks.
> > For instance, an attacker gets a certificate with your public
> > key but his name and then takes a message you signed and rebadges
> > it as a message he wrote. It's not clear that this is useful in any
> > practical setting, but since it's not expensive to prevent, I was sort of
> > thinking it was worth doing.
>
> I'm not terribly motivated to protect against a failure of the CA
> (especially since it seems like there are lots of attack vectors if you
> can do this), but I agree that it's not really expensive, either.
Well, it's not necessarily a failure of the CA.
(1) CAs are not required to do a proof of possession check, so you
sometimes can get a certificate with your name but someone
else's key. (Though the protocol we're specifying precludes
this.)
(2) You might get two certificates with the same key (this is legal)
and then the attacker could substitute them, which is pretty
lame as an attack..
-Ekr
_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip
