[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] Another bad day at the hash function factory

To: "'MW-PKIPrgmCommittee@xxxxxxxxxxxxx'" <MW-PKIPrgmCommittee@xxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: Re: [saag] Another bad day at the hash function factory
From: Eric Norman <ejnorman@xxxxxxxxxxxxx>
Date: Thu, 03 Mar 2005 14:21:09 -0600
In-reply-to: <86vf883j0m.fsf@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <20050302205815.GL1938@feynman> <b27ed2d6425ab92655dc9c9df3e0d97e@xxxxxxxxxxxxxxxx> <6.2.0.14.2.20050302165007.0888c820@xxxxxxxxxxxxxxxx> <cfcc3ff8ffef51156958d5734a060853@xxxxxxxxxxxxxxxx> <c7a42c97daca97a67d520a1214c53368@xxxxxxxxxxxxx> <86vf883j0m.fsf@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx



On Mar 3, 2005, at 8:23 AM, Eric Rescorla wrote:

Eric Norman <ejnorman@xxxxxxxxxxxxx> writes:


What evidence does the relying party have?  He has a recording of a
public

key (B), mathematical evidence that someone knows the associatedprivate

key (B), and a claim that I control private key B.  But he doesn't
have proof of
that binding between claim of identity and keypair; he has to get such
evidence

from the CA that signed the certificate. So he asks the CA totestify.


What evidence does the CA have?  The CA has evidence that keypair A
belongs to me, but the CA has never seen public key B and has no
evidence
about it whatsoever.


First, let me say that I'm extremely skeptical of this entire
line of argument and doubt that it would convince a judge.


I am also skeptical, now.

That said, even if I thought you could make a convincing argument
against non-repudiation based on hash collisions I don't think this
example shows what you think it shows:

We have available:

* A certificate containing key A (retained by the CA)
* A certificate containing key B (retained by the relying party)

The CA can demonstrate (to the extent that they can demonstrate
this at all) that the attesting party obtained certificate A.

It's also easy to verify that certificates A and B have the
same interior message digest value, so it's clear that something
is fishy.

I didn't think of that. That is indeed pretty substantial evidence,isn't it?

In this example, there's even more evidence of fishyness in the public
keys themselves.  Save for a few bits here and there, they are virtually
identical.

Nevertheless, one of the points to remember is that all thisnon-repudiationstuff is eventually going to come down to what it will take to convincea

judge.  What that means to me is that it's important to think about what
evidence will be available when that time comes, how the parties should
preserve and protect that evidence, and so forth.

Now, wouldn't it be neat to turn on our TV sets some day in the futureandhear Judge Judy say, "judgment for the plaintiff; the Hamming distanceis

too small"?

Eric Norman
University of Wisconsin -- DoIT

References:
- Re: [saag] Another bad day at the hash function factory
  - From: Eric Norman
- Re: [saag] Another bad day at the hash function factory
  - From: Eric Rescorla

Prev by Date: Re: [saag] X.509 certificate collision, via MD5 collisions
Next by Date: Comments on SCVP draft 18
Previous by thread: Re: [saag] Another bad day at the hash function factory
Next by thread: Re: [saag] Another bad day at the hash function factory
Index(es):
- Date
- Thread