On 23/02/16 10:41, Rob Stradling wrote:
On 23/02/16 06:03, Tom Ritter wrote:
<snip>
[Rob]
I think that blacklisting the shared issuer public key would be
better than
blacklisting the shared issuer name.
At first glance, I agree - but there is that annoying trick where you
can generate multiple (or at least two) public keys that all certify
the same signature. So I'm not sure this would actually work.
SCTs in 6962-bis already contain the issuer_key_hash (which is the DER
encoding of the issuer's SubjectPublicKeyInfo). Is that enough to
defeat your trick key attack?
Hmmm, I wonder if we need to add issuer_key_hash to inclusion proofs as
well (i.e. the InclusionProofDataV2 struct) ?
Actually, issuer_key_hash is already included in the
TimestampedCertificateEntryDataV2 structure from which leaf hashes are
calculated. I think that's sufficient to guard against inclusion proofs
being considered valid in conjunction with a trick issuer public key
(but please correct me if I'm wrong!)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
