David,
Unfortunately, I must yet again point out that there has still been no
attempt to address the issues that I and a few others have pointed out
with this document.
I have explained on multiple occasions that it is both technically
incorrect and confusing to refer to the attack as involving two CAs
with the same name and key.
You have made this statement several times, but I do not recall you
citing specific text from 5280 that supports your contention.
Although analogies are always imperfect, I'll propose two as a basis for
rejecting your assertion.
1. When a person is the victim of identity theft, this is analogous to
an attacker compromising the key of an extant CA and using it to create
a CA instance with the same name and key as the targeted CA. We do not
say that the identity thief is the same person as the victim, even
though that is the goal of the identity thief. We recognize that, in the
physical world, they are two different entities, even if the identity
thief appears to be identical to the victim in the eyes of banks,
government agencies, etc.
2. If an animal is cloned, the resulting offspring may be identical in
appearance and genetics. Yet the clones are distinct animals, not one
animal. Again, there is one animal only if one chooses to view the
animal as beign defined by its appearance and genes, rather that
physical world presence. This is analogous to an attacker providing
different contact info (postal and e-mail addresses, etc.), while using
the same CA name and the same key. These appear as two CAs as far as the
CAs that issue certs to these entities are concerned.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
