Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI

[Pierre Vandevenne <pierre () datarescue com>]

On Tue, 15 Aug 2000 09:35:42 -0600, Eric Knight wrote:

> picking a PKI SOA, and ruthlessly hammers various insecure practices that
> I've discovered in my comparison of all the firms.

That's the most interesting part indeed - not more than 8 characters...
hmmm - :-)

Other than that, on the substance...

- it is yet another demonstration that a chain is only as strong as its
weakest link.

- is mail server compromise really needed ? I imagine simple sniffing
could achieve the same result - one doesn't need to get the mail in
mail format to use the information and as far as detection of the
problem is concerned, it will be detected soon enough after the
original key is revoked anyway

- imho, it is again convenience vs security - assuming a government
would handle the initial certification better, and they probably would,
I wouldn't trust them more than the commercial entities if they started
to implement a web interface to their databases.

On the form...

- you mix passphrase / password sometimes, with the result that I don't
know which is which at some point

see - Poor Password Problem, illustrated by a passphrase screen showing
"do not use punctuation" - then at the table on the last page you say
"user can pick any password" - yes for all organizations.

As far as the real problem is concerned, I liked the approach taken by
the global trust register much better - the different certification
levels are not linked to the amount of money paid but to the amount of
verifications carried out.

http://www.cl.cam.ac.uk/Research/Security/Trust-Register/book.html



---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler
http://www.datarescue.com/idabase/ida.htm