Educause Security Discussion mailing list archives
Re: Implementing a Public Key Infrastructure
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 14 Feb 2006 13:18:08 -0500
On Tue, 14 Feb 2006 11:58:12 EST, Ricardo Lafosse said:
I have recently invested an ample amount of time in researching how to implement a Public Key Infrastructure. I am interested in knowing if anyone has had prior experience employing this practice and what difficulties were encountered?
Hopefully you've already thought of all the stuff below, but this looks like a good time to inject some commentary for those sites still thinking about PKI.... An amazing amount of time is spent by organizations that try to deploy a PKI without reading the chapter in Bruce Schneier's "Secrets and Lies" on the subject, and try to get a PKI to do things that are not workable in the Real World. One thing that a *lot* of deployments get totally wrong is that they think that because something is signed, that the purported owner of the signing key intended to sign it. In fact, the only thing it proves is that the private key and the data were at the same place at the same time. Specific issues to consider: 1) When some estimate have up to 70% of *all* PCs infected with some sort of malware or spyware, there is *plenty* of wiggle room for malware to snarf up a key and use it for nefarious purposes. And even if the true number is closer to 5% than 70%, you are *still* looking at 1 out of every 20 signatures being possibly compromised. If nothing else, make *very* sure that your infrastructure actually handles CRL's and related correctly, because you *will* be revoking certs left right and center as machines get infected with malware. (Think - if the malware has *any* sort of phone-home or backdoor capability, why should you trust the key anymore?) 2) Obtaining a fraudulent signature via social engineering. We've *all* seen movies or TV shows where the gag runs "Sign this.. and this.. and this.. and this.. and this.." and the 23rd of 47 signatures is something that shouldn't have been signed. You *will* see electronic variants of this. I guarantee it. 3) bait-n-switch malware - using Javascript, ActiveX, or whatever the hole-du-jour is, display one document, get the user to sign another. You'll see this too. Most of the problems are based on a faulty model of what a digital signature actually means - "signed with X's key" is *not* the same thing as "X signed it".
Attachment:
_bin
Description:
Current thread:
- Implementing a Public Key Infrastructure Ricardo Lafosse (Feb 14)
- <Possible follow-ups>
- Re: Implementing a Public Key Infrastructure Steve Devoti (Feb 14)
- Re: Implementing a Public Key Infrastructure Valdis Kletnieks (Feb 14)
- Re: Implementing a Public Key Infrastructure jack suess (Feb 15)
- Re: Implementing a Public Key Infrastructure Dick Jacobson (Feb 15)
- Re: Implementing a Public Key Infrastructure Waller, Michael A. (HSC) (Feb 15)
- Re: Implementing a Public Key Infrastructure Steve Brukbacher (Feb 16)
- Re: Implementing a Public Key Infrastructure St Clair, Jim (Feb 16)
- Re: Implementing a Public Key Infrastructure Barbara Chung (DURTSCHI) (Feb 16)
- Re: Implementing a Public Key Infrastructure Pullman, Nick (Feb 16)
- Re: Implementing a Public Key Infrastructure Steve Worona (Feb 16)
- Re: Implementing a Public Key Infrastructure Theresa M Rowe (Feb 16)
- Re: Implementing a Public Key Infrastructure Barbara Chung (DURTSCHI) (Feb 16)
(Thread continues...)