[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Key Identifiers

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Key Identifiers
From: Ian Roberts <iroberts@xxxxxxxxx>
Date: Fri, 17 Apr 1998 15:45:26 +0000
Approved-by: Ian Roberts <iroberts@ZERGO.COM>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

The discussion on Key Identifiers lead me down the following chain of
thought;

If the Key Identifier is useful for building a path, then it would be useful
to be able to query a directory server for certificates containing keys with
a given key identifier.

If directory servers become sufficiently large (for example, the size of the
Altavista search engine) then a lookup of a large number of certificates by
Key Identifier should be possible within a couple of seconds (with many
occurring concurrently).

If the directory server contained 200 million certificates, then a possible
attack would be to generate key sets and then query the directory server for
matches.  This would give someone with a fairly low-spec machine the ability
to search several hundred million keys per second.

Ian Roberts
--
Zergo Limited, The Square, Basing View, Basingstoke, Hants. RG21 4EG, UK
Tel: + 44 (0) 1442 342 600    Fax: +44 (0) 1256 812 901
Website:  http://www.zergo.com

Follow-Ups:
- Re: [IETF-PKIX] Key Identifiers
  - From: Sean Turner

Prev by Date: Re: [IETF-PKIX] Subject/Issuer Name Population
Next by Date: Re: [IETF-PKIX] Key Identifiers
Previous by thread: Re: [IETF-PKIX] Key Identifiers
Next by thread: Re: [IETF-PKIX] Key Identifiers
Index(es):
- Date
- Thread