[540] in cryptography@c2.net mail archive
re: John Kelsey's post (maybe)
daemon@ATHENA.MIT.EDU (Hal Finney)
Mon Apr 14 17:31:34 1997
Date: Mon, 14 Apr 1997 12:10:14 -0700
From: Hal Finney <hal@rain.org>
To: cryptography@c2.net, PADGETT@hobbes.orl.mmc.com
"A. Padgett Peterson P.E. Information Security", <PADGETT@hobbes.orl.mmc.com>,
writes:
> I think there has been a fundamental error here (either that or the
> government/escrow idea has been adopted while I was not looking). A
> CA should not be able to issue keys without having other authorizations
> (which I do not plan to give unilaterally).
The case I described was where a CA fraudulently did so without your
authorization, but claimed that you had in fact authorized it. The
assumption would be that the authorization was in written form, and
perhaps it could be forged or, as I described, claimed to be lost.
> A CA's role is to authenticate keys submitted to it. A CA may revoke the
> certification *but not the key*.
In some public-key infrastructure models, like some of the X.509 based
ones, users don't revoke their own keys. The only things which can be
revoked are certificates. To do what you want, you'd have users issue
self-certificates on their own keys which they could later revoke, with
self-revocations interpreted as meaning that the key was no longer valid.
At the risk of being caught in the political controversies surrounding
X.509, my understanding is that this was not part of the "classical"
X.509 approach. The original "privacy enhanced mail" system for example
was oriented towards a model where CA's would issue and then revoke
certificates, and each key would have only a single certificate issued
by the appropriate CA in the hierarchy.
X.509 has been modified to be more flexible, but I don't know whether
self-certificates with self-revocations are being used in any X.509
public key models or not. Does S/MIME do this?
Hal
