[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: The Bank-model Was: Employee Certificates - Security Issues
>I can have an individual certificate 'J Adrian Pickering' that
>I obtain, perhaps issued by a government authority much like a passport.
In that case, you would only want to ever use that certificate in use cases
where an official proof of citizenship is required. Any use beyond that use
case violates the principle of least authority. It also exposes you to may
privacy risks. In my layman interpretation of EU privacy directives, it may
also be illegal. (Admittedly, I blatantly disregard the fact that even some
EU efforts in the above direction exist.)
> When I work for Company X in role Y, the Company issues me with an
appropriate
> attribute certificate. The two, when used together, are applied to Company
> transactions and are understood by the recipient to mean 'this
> individual has signed this transaction on behalf of company x in their
> role as y'.
This model unnecessarily ties two unrelated facets of your identity to each
other. If used as such, when you sign something on behalf of company x, you
are as a matter of fact *also* attesting to your citizenship in country z. I
fail to see why this would be necessary or even desired.
> This is just like a traditional legal document where an
> individual signs and it is endorsed by the company seal.
This is *incredibly* unlike traditional legal documents. It is a brilliant
example of why comparing PKI with traditional signatures proves why "analog
<-> digital" analogies are so dangerous.
In many jurisdictions, there is little formal requirements on an individual
signature. There may be requirements on a company seal. But I digress.
If I work for Company X in role Y, I would expect the company to issue me
with an appropriate identity certificate [possibly anonymous]. The company
might choose to initially require me to present a government issued identity
certificate to establish my "true identity", but beyond that point my
citizenship in "z" is fairly irrelevant to the company. I would also be
granted an attribute certificate for role Y, tied to identity X. All this on
the assumption that the company would use X.509-type identity certification.
In reality, in my current roles, I would probably have to have several
identity certificates. My "identity" varies depending on whom I am talking
to. Right now, I am writing this email as a personal message in my role as
security researcher. I would prefer not to sign such a message with an
identity certificate that would also be used to sign official company
statements, because the deployed X.509 S/MIME infrastructure does not support
attribute certificates.
The entire concept of trying to issue an "identity certificate" that is
useful in many contexts seems misguided to me. Such a certificate would
quickly grow to become a dossier. Personal dossiers are necessarily highly
confidential.
> I am still free to sign 'cheques' with my personal certificate whether I'm
in
> the employ of the company or not.
I would not sign cheques with a passport [pardon the bad analogy]. Actually,
it seems fairly evident from litterature that cheques need not be tied to
identities in any meaningful way. Cheques are only concerned with the matter
of credit. If I would create a [public-key based] system which attests to
valid credit without using identities, it would serve me well.
> Apologies in advance if I'm beating an old drum,
Apologies in advance if I'm doing the same.
Regards,
Camillo Särs
--
Camillo Särs <Camillo.Sars@xxxxxxxxxxxx> http://www.iki.fi/ged/
Senior Security Researcher, F-Secure Corporation http://www.F-Secure.com
F-Secure products: Securing the Mobile Enterprise