[1839] in cryptography@c2.net mail archive
Re: States of Identity
daemon@ATHENA.MIT.EDU (charris)
Wed Nov 12 16:15:50 1997
Date: Wed, 12 Nov 1997 14:16:39 -0600
To: Rick Smith <smith@securecomputing.com>
From: charris <charris@eden.com>
Cc: cryptography@c2.net
In-Reply-To: <v03007802b08fa2e1ad91@[172.17.1.150]>
Mr. Smith:
I believe the clause that concerns you is part of the proposed rules,
not the legislation (H.B. 984, 1997 Texas Legislative Session).
These rules are still up for comment and subject to change.
You're right, looking at the rules, I see no reference made to personal key
revocation, or even certificate revocation, only to a certificate authority
having its accreditation revoked. Setting GAK aside for the moment, is
this something that should be addressed (perhaps with wording such as
you wrote below)? If so, it's not too late.
Or am I missing the mark entirely?
Thank you,
charris@eden.com
At 12:53 PM 11/12/97 -0600, Rick Smith wrote:
>>>From: Daniel Greenwood, regarding Texas' PKI regulations:
>
>>>>One interesting thing I noticed while scanning PKI section of the reg.s
>>>>is that certificate may be used "to certify that [the signer] controls
>>>>the key pair used to create the signature."
>>>>[...]
>
>I questioned the meaning of this, and Peter Gutmann wrote:
>
>>I would have thought that the intent was to show that you, and not you and
>>Honest Louis' Investigative Agency and GAK Centre, control the key - it's a
>>way of stating to the other party that "This key is not GAKked".
>
>This doesn't sound right, either. The quoted clause seems to tie two facts
>together: (a) the creation of a certificate and (b) the unconditional
>assertion by the certificate's owner that the owner has exclusive control
>over the corresponding private key. The statement sounds as if both (a)
>implies (b) and (b) implies (a). So the existence of the certificate serves
>as evidence that the owner controls the private key, regardless of the
>actual facts.
>
>If GAKking were made mandatory, owners would be technically lying when they
>are issued a valid certificate, since they would not in fact have exclusive
>control over their keys. This is not an unusual property of legislation
>even though I personally find it repugnant.
>
>I remain optimistically skeptical about mandatory GAKking and doubt it will
>ever happen, but I'm still concerned about how this particular law handles
>certificate revocation. Maybe there's an escape clause ("... unless they
>publish a report that they have lost exclusive control of their private
>key...") but that's not what's been reported.
>
>Rick.
>
>
