[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Cryptographic binding of certificates to signatures

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Cryptographic binding of certificates to signatures
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Tue, 10 Mar 1998 13:48:21 -0500
Approved-by: "David P. Kemp" <dpkemp@MISSI.NCSC.MIL>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

> From: Bob Jueneman <BJUENEMAN@NOVELL.COM>
>
> If we were able to somehow add cryptographic binding of
> the digital signature to the specific certificate that is s
> supposed to be used to validate it, virtually all of my objections
> to issuing more than one certificate per key would disappear,
> and we would be left with some of the positive virtues of that
> approach that others have mentioned.

I look at it somewhat differently.  Issuing a single certificate
per key provides the cryptographic binding between the signature
and the certificate; proposals to share keys between certificates
reduce that to a binding between the signature and the union of
all certificates which share the key.

I agree that it would be desirable to increase assurance by creating new
signature algorithms and/or new application-protocol capabilities to
bind the cert to the signature.  But that won't happen overnight.

What are the positive virtues of shared keys?  The only ones I've
seen are the possibility of saving some memory, and the gut feeling
that it would be nice to have one signature key represent one person.

There are some circumstances where using the same key in multiple
certificates is reasonable:

* cross-certification: the union of all certificates with the same
  CA as a subject offers no advantage over any particular single
  certificate, thus there's no benefit to be gained by swapping
  certs.  The purpose of a CA key is to sign certificates and CRLs
  which can later be validated - if more than one path leading through
  a particular CA can be constructed and validated, then the properties
  of any single path are not affected by whether other paths use the
  same key.

* renewal: if certificates are issued periodically with no change
  in contents except the validity period, then there is no vulnerability
  (except increased key lifetime) introduced by recertifying the
  same key.  Or, to put it another way, if a key is used for a fixed
  period (say 5 years), then there is no difference between issuing
  a single cert with 5 year validity or 5 otherwise identical certs
  with 1 year validities.  Since shorter validities may make CRLs
  shorter, recertifying the same key is useful.

Once you get beyond the cases where sharing keys is clearly harmless,
things get more difficult to understand.  Is it OK to recertify a
key if just the person's name changed?  I dunno. It seems reasonable
that a person would have the identical liabilities and obligations
regardless of what name that person used.  But if there were some
instance where Alice Smith has different legal responsibilities
than Mrs. Alice Smith-Jones, then they should use different keys
lest either Alice or an adversary would find it profitable to
swap certs on some signed item.

Prev by Date: Re: [IETF-PKIX] New Notary Protocol Draft
Next by Date: Re: [IETF-PKIX] Multiple certificates for same key?
Previous by thread: Re: [IETF-PKIX] Cryptographic binding of certificates to signatures
Next by thread: Re: [IETF-PKIX] Cryptographic binding of certificates to signatures
Index(es):
- Date
- Thread