Hi Adam,
From: Adam Back [EMAIL PROTECTED]
Date: Fri, 30 Jul 2004 17:54:56 -0400
To: Aram Perez [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], Cryptography [EMAIL PROTECTED], Adam
Back [EMAIL PROTECTED]
Subject: Re: should you trust CAs? (Re: dual-use digital signature
vulnerability)
On Wed
On Wed, Jul 28, 2004 at 10:00:01PM -0700, Aram Perez wrote:
As far as I know, there is nothing in any standard or good security
practice that says you can't multiple certificate for the same email
address. If I'm willing to pay each time, Verisign will gladly issue me a
certificate with my
At 02:09 PM 7/28/04 -0400, Adam Back wrote:
The difference is if the CA does not generate private keys, there
should be only one certificate per email address, so if two are
discovered in the wild the user has a transferable proof that the CA
is up-to-no-good. Ie the difference is it is
Aram Perez [EMAIL PROTECTED] writes:
I agree with Michael H. If you trust the CA to issue a cert, it's not that
much more to trust them with generating the key pair.
Trusting them to safely communicate the key pair to you once they've generated
it is left as an exercise for the reader :-).
Hi Adam,
The difference is if the CA does not generate private keys, there
should be only one certificate per email address, so if two are
discovered in the wild the user has a transferable proof that the CA
is up-to-no-good. Ie the difference is it is detectable and provable.
As far as I
For what it's worth, last week, I had the chance to eat dinner with
Carlisle Adams (author of the PoP RFC), and he commented that he didn't
know of any CA that did PoP any other way than have the client sign
part of a CRM.
Clearly, this seems to contradict Peter's experience.
I'd REALLY love
The difference is if the CA does not generate private keys, there
should be only one certificate per email address, so if two are
discovered in the wild the user has a transferable proof that the CA
is up-to-no-good. Ie the difference is it is detectable and provable.
If the CA in normal
At 12:09 PM 7/28/2004, Adam Back wrote:
The difference is if the CA does not generate private keys, there
should be only one certificate per email address, so if two are
discovered in the wild the user has a transferable proof that the CA
is up-to-no-good. Ie the difference is it is detectable
attempt to address this area; rather than simple i agree/disagree
buttons ... they put little checkmarks at places in scrolled form you
have to at least scroll thru the document and click on one or more
checkmarks before doing the i agree button. a digital signature has
somewhat
Barney Wolff wrote:
Pardon a naive question, but shouldn't the signing algorithm allow the
signer to add two nonces before and after the thing to be signed, and
make the nonces part of the signature? That would eliminate the risk
of ever signing something exactly chosen by an attacker, or at
| the issue in the EU FINREAD scenario was that they needed a way to
| distinguish between (random) data that got signed ... that the key owner
| never read and the case were the key owner was actually signing to
| indicate agreement, approval, and/or authorization. They specified a
| FINREAD
At 08:25 AM 7/19/2004, Jerrold Leichter wrote:
A traditional notary public, in modern terms, would be a tamper-resistant
device which would take as inputs (a) a piece of text; (b) a means for
signing (e.g., a hardware token). It would first present the actual text
that is being signed to the
About using a signature key to only sign contents presented in a meaningful
way that the user supposedly read, and not random challenges:
The X.509 PoP (proof-of-possession) doesn't help things out, since a public
key certificate is given to a user by the CA only after the user has
demonstrated
| note that some of the online click-thru contracts have been making
| attempt to address this area; rather than simple i agree/disagree
| buttons ... they put little checkmarks at places in scrolled form you
| have to at least scroll thru the document and click on one or more
| checkmarks
At 01:33 AM 7/18/2004, Amir Herzberg wrote:
I don't see here any problem or attack. Indeed, there is difference
between signature in the crypto sense and legally-binding
signatures. The later are defined in one of two ways. One is by the
`digital signature` laws in different countries/states; that
the fundamental issue is that there are infrastructures using the same
public/private key pair to digital sign
1) random authentication data that signer never looks at and believe is of
low value ... if they connect to anybody at all ... and are asked to
digitally sign some random data for
it isn't sufficient that you show there is some specific
authentication protocol with unread, random data ... that has
countermeasures against a dual-use attack ... but you have to
exhaustively show that the private key has never, ever signed any
unread random data that failed to contain
17 matches
Mail list logo
