Re: Online Certificate Revocation Protocol

[Marc Branchaud <marcnarc@xxxxxxxxxxxxxxx>]

All I'm saying is that "destroyed" does not mean that the key can't be
recovered by someone with enough determination and expertise/money.

Yes, in theory, if a key is actually wiped from existence then the security
reasons for revoking its certificate are fairly weak (to be diplomatic about
it).  However, I seem to recall seeing reports a few months ago about some
data being recovered from a hard drive even though the data was overwritten
many times.  Destroying information seems to be a lot harder than expected.

Tony's original question concerned the accidental destruction of a key.  I
suggest that "accidental destruction" really means that the key is beyond the
owner's ability to recover it.  But that doesn't mean it's beyond everyone
else's ability as well.

For your average user, "destroyed" might mean that they accidentally dragged
their private key file into the trashcan.  This would hardly be "Destroyed"
in the theoretical sense, but if the policy is that there need be no
revocation when a key is "lost" then there's a huge vulnerability here.

		Marc


Santosh Chokhani wrote:
> 
> You could revoke, but there is no compelling security reason just because
> the key is destroyed regardless of the sensitivity of the subject component
> or the application.
> 
> Now, if some other foul play is suspected as part of the destruction event,
> that is another matter.
>