Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwin g Rocks at the PKI

[Chris Tobkin <tobkin () INTERSEC COM>]

Eric, when I started reading this I thought it was going to be a high-level
examination of problems inherent in PKI..  However, the way it is written,
it looks like you just tossed up a few problems with two key vendors.  Truth
be told, Many of the legally binding and enforcable PKI solutions used for
non-repudiation and proof of identity, will have a governmental root server
(which may trust other govt. root servers) and doll out authority to key
vendors.  Here in Minnesota, (I belive from my discussion with the Secretary
of State, no I haven't read the law word for word) the only way the Digital
Certificate is legally binding is if it is signed with the State in the
chain.  To get one of these certificates, you must meet a Notary Public in
person with two valid forms of photo identification and they will issue you
a digital ID for a fee.  This in-person verification is necessary and will
always be around to get the signed digital ID.  It really won't matter if
people can brute-force and revoke your key, so that part can be online, but
it'll just be annoying (inconvenient) to have to get a new one.  With that
in mind, most of your problems seem to vaporize..  IOW, most of the legally
binding ones will be less convenient than the more casual system in place
today.

Great things are on the way!
// Chris
tobkin () intersec com