Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
Hi Adam, > From: Adam Back <[EMAIL PROTECTED]> > Date: Fri, 30 Jul 2004 17:54:56 -0400 > To: Aram Perez <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED], Cryptography <[EMAIL PROTECTED]>, Adam > Back <[EMAIL PROTECTED]> > Subject: Re: should you trust CAs? (Re: dual-use digital signature > vulnerability) > > On Wed, Jul 28, 2004 at 10:00:01PM -0700, Aram Perez wrote: >> As far as I know, there is nothing in any standard or "good security >> practice" that says you can't multiple certificate for the same email >> address. If I'm willing to pay each time, Verisign will gladly issue me a >> certificate with my email, I can revoke it, and then pay for another >> certificate with the same email. I can repeat this until I'm bankrupt and >> Verisign will gladly accept my money. > > Yes but if you compare this with the CA having the private key, you > are going to notice that you revoked and issued a new key; also the CA > will have your revocation log to use in their defense. > > At minimum it is detectable by savy users who may notice that eg the > fingerprint for the key they have doesn't match with what someone else > had thought was their key. > >> I agree with Michael H. If you trust the CA to issue a cert, it's >> not that much more to trust them with generating the key pair. > > Its a big deal to let the CA generate your key pair. Key pairs should > be generated by the user. >From a purely (and possibly dogmatic) cryptographic point of view, yes, key pairs should be generated by the user. But in the real world, as Ian G points out, where businesses are trying to minimize costs and maximize profits, it is very attractive to have the CA generate the key pair (and as Peter G pointed, delivers the pair securely), and issue a certificate at the same time. I hope you are not using a DOCSIS cable modem to connect to the Internet, because that is precisely what happened with the cable modem. A major well-known CA generated the key pair, issued the certificate and securely delivered them to the modem manufacturer. The modem manufacturer then injected the key pair and certificate into the modem and sold it. I guess you can say/argue that there is a difference between a "user key pair" and a "device key pair", and therefore, it can work for cable modems, but I don't how you feel/think/believe in this case. Until fairly recently, when smart card could finally generate their own key pairs, smart cards were delivered with key pairs that were generated outside the smart card and then injected into them for delivery to the end user. I'm not trying to change your mind, I'm just trying to point out how the real business world works, whether we security folks like it or not. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
Aram Perez <[EMAIL PROTECTED]> writes: >I agree with Michael H. If you trust the CA to issue a cert, it's not that >much more to trust them with generating the key pair. Trusting them to safely communicate the key pair to you once they've generated it is left as an exercise for the reader :-). Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
At 02:09 PM 7/28/04 -0400, Adam Back wrote: >The difference is if the CA does not generate private keys, there >should be only one certificate per email address, so if two are >discovered in the wild the user has a transferable proof that the CA >is up-to-no-good. Ie the difference is it is detectable and provable. Who cares? A CA is not legally liable for anything they sign. A govt is not liable for a false ID they issue a protected witness. The emperor has no clothes, just a reputation, unchallenged, ergo vapor. = 36 Laurelwood Dr Irvine CA 92620-1299 VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP VOX: (949) 462-6726 (work -don't leave msgs, I can't pick them up) mnemonic: WIZ GOB MRAM ICBM: -117.7621, 33.7275 HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable) PGP PUBLIC KEY: by arrangement Send plain ASCII text not HTML lest ye be misquoted -- "Don't 'sir' me, young man, you have no idea who you're dealing with" Tommy Lee Jones, MIB - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
On Wed, Jul 28, 2004 at 10:00:01PM -0700, Aram Perez wrote: > As far as I know, there is nothing in any standard or "good security > practice" that says you can't multiple certificate for the same email > address. If I'm willing to pay each time, Verisign will gladly issue me a > certificate with my email, I can revoke it, and then pay for another > certificate with the same email. I can repeat this until I'm bankrupt and > Verisign will gladly accept my money. Yes but if you compare this with the CA having the private key, you are going to notice that you revoked and issued a new key; also the CA will have your revocation log to use in their defense. At minimum it is detectable by savy users who may notice that eg the fingerprint for the key they have doesn't match with what someone else had thought was their key. > I agree with Michael H. If you trust the CA to issue a cert, it's > not that much more to trust them with generating the key pair. Its a big deal to let the CA generate your key pair. Key pairs should be generated by the user. Adam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
Hi Adam, > The difference is if the CA does not generate private keys, there > should be only one certificate per email address, so if two are > discovered in the wild the user has a transferable proof that the CA > is up-to-no-good. Ie the difference is it is detectable and provable. As far as I know, there is nothing in any standard or "good security practice" that says you can't multiple certificate for the same email address. If I'm willing to pay each time, Verisign will gladly issue me a certificate with my email, I can revoke it, and then pay for another certificate with the same email. I can repeat this until I'm bankrupt and Verisign will gladly accept my money. I agree with Michael H. If you trust the CA to issue a cert, it's not that much more to trust them with generating the key pair. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: should you trust CAs? (Re: dual-use digital signature vulnerability)
At 12:09 PM 7/28/2004, Adam Back wrote: The difference is if the CA does not generate private keys, there should be only one certificate per email address, so if two are discovered in the wild the user has a transferable proof that the CA is up-to-no-good. Ie the difference is it is detectable and provable. If the CA in normal operation generates and keeps (or claims to delete) the user private key, then CA misbehavior is _undetectable_. Anyway if you take the WoT view, anyone who may have a conflict of interest with the CA, or if the CA or it's employees or CPS is of dubious quality; or who may be a target of CA cooperation with law enforcement, secrete service etc would be crazy to rely on a CA. WoT is the answer so that the trust maps directly to the real world trust. (Outsourcing trust management seems like a dubious practice, which in my view is for example why banks do their own security, thank-you-very-much, and don't use 3rd party CA services). In this view you use the CA as another link in the WoT but if you have high security requirements you do not rely much on the CA link. in the case of SSL domain name certificates ... it may just mean that somebody has been able to hijack the domain name ... and produce enuf material that convinces the CA to issue a certificate for that domain name. recent thread in sci.crypt http://www.garlic.com/~lynn/2004h.html#28 Convince me that SSL certificates are not a big scam the common verification used for email address certificates (by certification authorities) ... is to send something to that email address with some sort of "secret" instructions. so the threat model is some sort of attack on email from the CA ... snarf the user's ISP/webmail password and intercept the CA verification email. (it simply falls within all the various forms of identity theft ... and probably significantly simpler than getting a fraudulent driver's license). with the defense that it is possibly another form of identity theft say you ever actually stumbled across such a fraudulently issued certificate it would probably be difficult to prove whether or not the certification authority was actually involved in any collusion. even discounting that there is no inter-CA certificate duplicate issuing verification there are enuf failure scenarios for public/private keys that somebody could even convince the same CA to issue a new certificate for the same email address (even assuming that they bothered to check) - Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
should you trust CAs? (Re: dual-use digital signature vulnerability)
The difference is if the CA does not generate private keys, there should be only one certificate per email address, so if two are discovered in the wild the user has a transferable proof that the CA is up-to-no-good. Ie the difference is it is detectable and provable. If the CA in normal operation generates and keeps (or claims to delete) the user private key, then CA misbehavior is _undetectable_. Anyway if you take the WoT view, anyone who may have a conflict of interest with the CA, or if the CA or it's employees or CPS is of dubious quality; or who may be a target of CA cooperation with law enforcement, secrete service etc would be crazy to rely on a CA. WoT is the answer so that the trust maps directly to the real world trust. (Outsourcing trust management seems like a dubious practice, which in my view is for example why banks do their own security, thank-you-very-much, and don't use 3rd party CA services). In this view you use the CA as another link in the WoT but if you have high security requirements you do not rely much on the CA link. Adam On Wed, Jul 28, 2004 at 11:15:16AM -0400, [EMAIL PROTECTED] wrote: > I would like to point out that whether or not a CA actually has the > private key is largely immaterial because it always _can_ have the > private key - a CA can always create a certificate for Alice whether or > not Alice provided a public key. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]