[1835] in cryptography@c2.net mail archive
Re: States of Identity
daemon@ATHENA.MIT.EDU (Rick Smith)
Wed Nov 12 14:26:43 1997
In-Reply-To: <87928366201736@cs26.cs.auckland.ac.nz>
Date: Wed, 12 Nov 1997 12:53:50 -0600
To: pgut001@cs.auckland.ac.nz
From: Rick Smith <smith@securecomputing.com>
Cc: cryptography@c2.net
>>From: Daniel Greenwood, regarding Texas' PKI regulations:
>>>One interesting thing I noticed while scanning PKI section of the reg.s
>>>is that certificate may be used "to certify that [the signer] controls
>>>the key pair used to create the signature."
>>>[...]
I questioned the meaning of this, and Peter Gutmann wrote:
>I would have thought that the intent was to show that you, and not you and
>Honest Louis' Investigative Agency and GAK Centre, control the key - it's a
>way of stating to the other party that "This key is not GAKked".
This doesn't sound right, either. The quoted clause seems to tie two facts
together: (a) the creation of a certificate and (b) the unconditional
assertion by the certificate's owner that the owner has exclusive control
over the corresponding private key. The statement sounds as if both (a)
implies (b) and (b) implies (a). So the existence of the certificate serves
as evidence that the owner controls the private key, regardless of the
actual facts.
If GAKking were made mandatory, owners would be technically lying when they
are issued a valid certificate, since they would not in fact have exclusive
control over their keys. This is not an unusual property of legislation
even though I personally find it repugnant.
I remain optimistically skeptical about mandatory GAKking and doubt it will
ever happen, but I'm still concerned about how this particular law handles
certificate revocation. Maybe there's an escape clause ("... unless they
publish a report that they have lost exclusive control of their private
key...") but that's not what's been reported.
Rick.
