[10122] in cryptography@c2.net mail archive
Re: CFP: PKI research workshop
daemon@ATHENA.MIT.EDU (Carl Ellison)
Mon Jan 14 20:18:44 2002
Message-Id: <5.1.0.14.0.20020114135904.03156738@mailbox.jf.intel.com>
Date: Mon, 14 Jan 2002 14:08:27 -0800
To: <cryptography@wasabisystems.com>,
"SPKI Mailing List" <spki@wasabisystems.com>
From: Carl Ellison <cme@jf.intel.com>
In-Reply-To: <kjpu4comj3.fsf@romeo.rtfm.com>
Mime-Version: 1.0
Content-Type: text/plain
At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote:
>"Stef Caunter" <stefan.caunter@senecac.on.ca> writes:
>> Does a user of ssl services care to know absolutely that they are
>> communicating verifiably with whom they believe they have contacted, or does
>> the user care to know absolutely that their communication is completely
>> private?
>These are inextricably connected. If you want to know that
>your communications are private in the face of active attack
>you need to know who you're talking to as well.
Of course you do. That's why https://store.palm.com/ is such a problem. You thought you were talking to (and wanted to talk to) Palm Computing, just like the logos and page layout said you were. You're not. You're talking to a MITM. Palm hired them to run the store? The certificates don't say that.
[snip]
>> Why can't self-verification be promoted? Why can't an nslookup call be built
>> into certificate presentations?
>What are you talking about? An nslookup call wouldn't help anything.
>The essential problem is establishing that the public key you receive
>over the network actually belongs to the person you think it does.
>In the absence of a prior arrangement, the only way we know how
>to do this is to have that binding vouched for by a third-party.
Actually, Eric, the third party might confuse that for you. The function it performs with respect to naming is not totally unlike the function of early anonymizers. The TTP chooses a name to bind to the public key that might have only a tenuous relation to the name by which you know the keyholder. As a result, when you do a name comparison between the certificate Subject and what you know about this person, "the person you think it does", you may have to make a guess about whether the match is correct.
Here we spend all this effort to reduce the probability of error, in the cryptography, to values like 2^{-128} and then make the security decision depend just as much on a guess with a much greater probability of error. From the point of view of error probability, we should have left out the cryptographic part entirely.
- Carl
P.S. the workshop where we should (and probably will) be discussing this is http://www.cs.dartmouth.edu/~pki02/ and there are still two weeks before papers are due.
+--------------------------------------------------------+
|Carl Ellison Intel E: cme@jf.intel.com |
|2111 NE 25th Ave M/S JF3-212 T: +1-503-264-2900 |
|Hillsboro OR 97124 F: +1-503-264-6225 |
|PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 |
| 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240 |
+--------------------------------------------------------+
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
