Re: [IETF-PKIX] Key Identifiers

[Sean Turner <turners@xxxxxxxx>]

Ian,

X.509 defines a matching rule for use in the directory to search for certs based on the following fields:

Serial Number, Issuer, Subject Key Identifier, Authority Key Identifier, Validity Period, Private Key Validity, Subject Public Key Algorithm Identifier, Key Usage, Subject Alternative Name, Certificate policy, and Path to Name.

Cheers,

Ian Roberts wrote:
>
> The discussion on Key Identifiers lead me down the following chain of
> thought;
>
> If the Key Identifier is useful for building a path, then it would be useful
> to be able to query a directory server for certificates containing keys with
> a given key identifier.
>
> If directory servers become sufficiently large (for example, the size of the
> Altavista search engine) then a lookup of a large number of certificates by
> Key Identifier should be possible within a couple of seconds (with many
> occurring concurrently).
>
> If the directory server contained 200 million certificates, then a possible
> attack would be to generate key sets and then query the directory server for
> matches.  This would give someone with a fairly low-spec machine the ability
> to search several hundred million keys per second.
>
> Ian Roberts
> --
> Zergo Limited, The Square, Basing View, Basingstoke, Hants. RG21 4EG, UK
> Tel: + 44 (0) 1442 342 600    Fax: +44 (0) 1256 812 901
> Website:  http://www.zergo.com

--
Sean Turner - IECA, Inc.