Vulnerability Development mailing list archives
Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI
From: Christoph Puppe <christoph.puppe () DEFCOM-SEC COM>
Date: Fri, 25 Aug 2000 18:34:29 +0200
On 18 Aug 2000, Timothy J. Miller wrote:
... So in actual practice, you need to go further than just offering validity checking. There needs to be some mechanism whereby the source of authority can guarantee that for some arbitrary PKI transaction, the parties engaged actually performed a validity check.
You could only do this, when the parties involved have to use the CA. An example could be timestamping, as required by some contracts where a third and trusted party does a signature to vow for the time the transaction took place. This could be bound to a validity checking that is only given if the parties have checked each other before this.
... We don't have this for PKI transactions. Now I know a little about OCSP (Online Certificate Status Protocol), but does OCSP provide a mechanism to force a participant to validate the certificate, and invalidates the transaction if not completed?
You could tell (programm) any client to lookup the cert before he does accept a signature or challenge-response, but I know of none that has this feature.
smartcard-enabled company, when the CEO forgets his smartcard at home are *you* going to tell him that he *must* drive home and get it, or are you simply going to snatch his private key from escrow and issue him a temporary card?
He should fire you if you don't. Gruss Christoph Puppe -- /* Defcom Security GmbH || Net: www.defcom-sec.de */ /* Arndtstr. 34 || Tel: +49-30-61650-0 */ /* D-10965 Berlin || Fax: +49-30-61650-555 */
Current thread:
- Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Eric Knight (Aug 15)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Pluto (Aug 17)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Eric Knight (Aug 18)
- Re: Non-Mathmatical Forging of PKI Digital Certificates /Throwing Rocks at the PKI Dener Martins (Aug 22)
- Re: Non-Mathmatical Forging of PKI Digital Certificates /Throwing Rocks at the PKI Timothy J. Miller (Aug 23)
- Re: Non-Mathmatical Forging of PKI Digital Certificates /Throwing Rocks at the PKI Dener Martins (Aug 23)
- Re: Non-Mathmatical Forging of PKI Digital Certificates /Throwing Rocks at the PKI Alvin Foo (Aug 24)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Eric Knight (Aug 18)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Pluto (Aug 17)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Pluto (Aug 29)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Christoph Puppe (Aug 25)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Timothy J. Miller (Aug 25)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Lincoln Yeoh (Aug 26)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Pluto (Aug 29)