RE: Problem for public CAs

[Alfred Arsenault <awarsen@xxxxxxxxxxxxxx>]

-----Original Message-----
From: HORII Naoto [mailto:Naoto.Horii@xxxxxxxxx]
Sent: Monday, February 07, 2000 1:33 PM
To: ietf-smime@xxxxxxx
Subject: Re: Problem for public CAs



Item 3 would typically be implemented by restricting the type of questions a
client can ask to the CA:

1) S/MIME certificates would be returned only if the subjectAltname is
unambiguously specified - e.g.

client: search certificate for subjectAltname=lawsg@xxxxxxxxxxxxxxxxxxx
server: OK, certificate=blah

client: search certificate for subjectAltname=*@it.postoffice.co.uk
server: ERROR, inavlid search key

For such a protection scheme to work, your directory server must obviously
be able to validate/
sanitize a search key against access rules - e.g. "no wildcards allowed in
search keys" - before
forwarding the search to your directory's backend engine.

<snip>

AWA: Of course, this doesn't work if you allow me an unlimited number of
queries to your directory.  I'll just start with some of the more "obvious"
possibilities and work my way out; e.g.,

	search for:  certificate for smith@xxxxxxxxxxx
		       certificate for jsmith@xxxxxxxxxxx
			 certificate for smithj@xxxxxxxxxxx
			 ...

It's not real efficient, but hey, that's what computer programs are for. :-)
Sooner or later, I'll get a reasonable number of certs, and away I go.  I'll
chew up a lot of network bandwidth and leave footprints all over your
directory, but if you let me search like this, it's worth it - if there's
money to be made in spamming, I don't care what it costs you for me to get
the addresses. :-)  

				Al Arsenault

-- insert usual disclaimer about this being my opinion, and not reflecting
the opinion of my employer or of any other organization with which I have a
relationship

-- insert second disclaimer: no, I don't spam, I don't like spam, I don't
harvest names to help somebody else spam;...