Re: [IETF-PKIX] Multiple Certificates

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: "Balluffi, Frank" <BalluffiF@CertCo.com>
>
> What is the foundation or context for this discussion: WHAT ATTACKS ARE
> WE CONCERNED ABOUT?


In addition to the four operational disadvantages listed in a prior
message, I thought up the following actual attack this morning
in the shower :-)

Consider two credit cards with different policies: the Green card
is free and offers no benefits; the Gold card costs .1% per transaction
but offers replacement insurance up to $1000 on goods purchased.

It is in the user's interest to use the Green card for every transaction,
unless the goods received turn out to be defective, in which case the
user might try to substitute the Gold card on the purchase transaction.

The credit card company has the opposite incentive, to switch all
transactions to the Gold card.  And if the merchant pays a different
fee or gets a different commission from the two cards, the merchant
has an incentive to swap certificates too.

Certificate substitution would be prevented by using different keys,
by binding the cert to the transaction, or both.  In the case of
credit cards, any reasonable commerce protocol would bind the cert
into the transaction.  But the attack applies whenever there
are certificates with a shared key and conflicting incentives;
the incentives could be information-based rather than monetary.
Few application protocols (and according to the chair of the S/MIME
working group, *no* email protocols) include any means of preventing
certificate substitution, so key sharing is a vulnerability.

Am I missing something?