[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Cryptographic binding of certificates to signatures

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Cryptographic binding of certificates to signatures
From: lars.gu.johansson@xxxxxxxxx
Date: Thu, 12 Mar 1998 09:56:38 +0100
Approved-by: lars.gu.johansson@POSTEN.SE
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

All,

In order to deal with the situation that a key-holder have
multiple certificates and signs a message without giving any
reference to which certificate should be used by the relying
party when verifying the signature, Bob have proposed a
redefinition of the ASN.1 signature macro.

I think that this is a particularly bad idea...

I agree that it should be recommended to clearly state under
which role/certificate one signs something. But that is the
responsibility of the signer and not of the CA. Also, stipulations
of this kind is, IMHO, an application-level issue, not part of the
PKI (and outside of this WG's charter). It may even be unnecessary.

Suppose that Mr. X have two certificates (of the same key)
for his two roles: as a private person and as an employee of
a big company. Now this Mr. X signs a contract for that big
company (as being an employee) but forgets to state in the
signature which certificate that should be used to verify the
signature. If that contract is bad business for the big company,
then it may want to try to claim that it was signed by the private
person X, not by the employee.

It's clear that it can't be proved (cryptographicly) in court
which certificate that is the correct one. But remember that
it's as hard for the opponent, the big company, to prove that
it was the private person X that signed the contract as it is
for Mr. X to prove that it was him as an employee. In the worst
case, the signature (and contract) could be judged as being
unresolved (which may be bad enough though).

I think this shows that when dealing with valuable signatures,
such as contracts, it is in both parties (the key holder and the
relying party) interest to clearly state which certificate that should
be used. Even if the certificate isn't contained in the message to
be signed due to flaws in the application design it could be the
signers' responsibility to include it anyway (e.g. as a signed
attachment).

Regards,
/Lars Johansson
Sweden Post

Prev by Date: Re: [IETF-PKIX] Multiple certificates for same key?
Next by Date: Re: [IETF-PKIX] Reliance limits in statutes
Previous by thread: Re: [IETF-PKIX] Cryptographic binding of certificates to signatures
Next by thread: [IETF-PKIX] PKIX questions (DH key and Key Identifier)
Index(es):
- Date
- Thread