[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Multiple Certificates
- To: IETF-PKIX@xxxxxxxxxxxxxxxx
- Subject: Re: [IETF-PKIX] Multiple Certificates
- From: "Frank O'Dwyer" <fod@xxxxxx>
- Date: Tue, 10 Mar 1998 22:04:15 -0000
- Approved-by: Frank O'Dwyer <fod@BRD.IE>
- Mmdf-warning: Parse error in original version of preceding line at post.mail.demon.net
- Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
- Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
>Few application protocols (and according to the chair of the S/MIME
>working group, *no* email protocols) include any means of preventing
>certificate substitution, so key sharing is a vulnerability.
>
>Am I missing something?
Well, it can equally be argued that having one key per certificate
introduces a single point of failure and violates the principle
of least privilege (from the perspective of a relying party attempting
to minimise threats due to trusting CAs).
In other words, assuming that there could be two or more
independent certificates for the same key, then a relying party could
require several certs before accepting a key (protecting against rogue
CAs), and can also temporarily "fly on one engine" should one of the
CAs be compromised or otherwise break down. The CAs are also
individually less attractive targets for an attacker.
Also as you point out the case you raise can be addressed by
having different key pairs per context, or by binding certificates
to messages (actually I think it would be better to just bind
selected attributes to messages, as in general a signer has
no way of predicting which certificate(s) relying parties will
trust).
Cheers,
Frank O'Dwyer.