Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI

From: Christoph Puppe <christoph.puppe () DEFCOM-SEC COM>
Date: Fri, 25 Aug 2000 18:34:29 +0200
On 18 Aug 2000, Timothy J. Miller wrote:


...
So in actual practice, you need to go further than just offering
validity checking.  There needs to be some mechanism whereby the
source of authority can guarantee that for some arbitrary PKI
transaction, the parties engaged actually performed a validity check.


  You could only do this, when the parties involved have to use the
CA. An example could be timestamping, as required by some contracts where
a third and trusted party does a signature to vow for the time the
transaction took place. This could be bound to a validity checking that
is only given if the parties have checked each other before this.



...
We don't have this for PKI transactions.  Now I know a little about
OCSP (Online Certificate Status Protocol), but does OCSP provide a
mechanism to force a participant to validate the certificate, and
invalidates the transaction if not completed?


  You could tell (programm) any client to lookup the cert before he does
accept a signature or challenge-response, but I know of none that has this
feature.


smartcard-enabled company, when the CEO forgets his smartcard at home
are *you* going to tell him that he *must* drive home and get it, or
are you simply going to snatch his private key from escrow and issue
him a temporary card?


  He should fire you if you don't.

  Gruss

  Christoph Puppe
--
  /* Defcom Security GmbH     ||  Net:    www.defcom-sec.de      */
  /* Arndtstr. 34             ||  Tel:    +49-30-61650-0         */
  /* D-10965 Berlin           ||  Fax:    +49-30-61650-555       */
Previous By Date Next
Previous By Thread Next

Current thread: