[628] in cryptography@c2.net mail archive
Re: Paris Protocols Workshop
daemon@ATHENA.MIT.EDU (Bill Stewart)
Tue Apr 22 23:38:15 1997
Date: Tue, 22 Apr 1997 18:24:50 -0700
To: kelsey@email.plnet.net
From: Bill Stewart <stewarts@ix.netcom.com>
Cc: "Perry's Crypto List" <cryptography@c2.net>
In-Reply-To: <MAPI.Id.0016.00656c73657920203837433330303030@MAPI.to.RFC8
22>
Boy, if you can't trust your Trusted Third Party, who _can_ you trust? :-)
At 02:14 AM 4/13/97 CDT, John Kelsey wrote:
[Lots of people don't really understand certs-> will lead to many attacks]
>Someone (I think some of the Cambridge people) raised this
>issue: Suppose the CA revokes your current certificate, issues
>you a new certificate, and signs a bunch of contracts with some
>friendly agency or company under your new key. This lets the CA
>have most of the benefits (for it, not for you) of escrowing
>your signing key.
(Presumably they also created a fake key and issued the new cert for that?)
If people get your key from _you_, not from the CA, then this
attack doesn't work as well, though it works fine for the people
the CA impersonators contact pretending to be you.
On the other hand, while the CA can burn your reputation capital
easily enough this way, and maybe get you thrown in jail (:-),
if the CA isn't your bank, they can't tap your bank account,
they can't spend the digicash in your wallet, and if you
catch them signing a contract you can sue them for fraud,
or (if you can't prove _they_ perpetrated the fraud) at least for
falsely certifying a key to be yours, just as you would if
somebody walked in their door with a fake ID and a key and they certified it.
Another thing this attack can't do is get at messages you signed with
your real key before they propagated the fake, though they can
set up the communications infrastructure for a MITM attack before
actually starting to switch messages.
>Their short answer to this problem was that
>revokations ought to require a different entity that
>certification, to divide up the powers necessary to do this
>among different groups of people.
I disagree that cert-revocations should be done by anyone other than
the cert-issuer, except possibly by the key holder.
On the other hand, key revocations definitely should be signed
by the key being revoked.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
