What's the significance of accepting a cert?

Rohit Khare (khare@w3.org)
Wed, 25 Jun 1997 20:45:14 -0400 (EDT)


Carl raises a fascinating question in his Acme scenario below. It's the
direct downside of 'let a thousand CA's bloom': what if you could be framed
this way? Is it defensible to claim Acme wasn't exercising 'due care' for
ANY of its certs? It's just another painful reminder that everyone has to
TRUST a CA -- not just to check identity or some marrow role, but trust
ABSOLUTELY. Now, if you're in Silicon Valley, do you want your keys under
the control of a competitor down the street at Verisign?

Rohit

Date: Wed, 25 Jun 1997 18:20:11 -0400
To: banisar@epic.org
From: Carl Ellison <cme@cybercash.com>
Subject: legal question about certs

-----BEGIN PGP SIGNED MESSAGE-----

Dave,

we have a gentle war brewing on the SPKI list.

The question is whether the subject of a certificate should sign it.
Normally, the issuer signs the cert -- giving some permission or access rights
to the subject. The subject doesn't need to sign the cert to receive those
rights.

However, there is a theory that for each transfer of rights in one direction,
there is a transfer of responsibility in the other direction. Therefore, the
subject should sign the cert accepting the responsibility that goes along with
the rights.

Ron Rivest argues that as cryptographers, all we care about is the rights
transfer...that the responsiblity transfer is the domain of lawyers.

For example, an attack is envisioned. Bad company, Acme, finds your public
key someplace from some legitimate cert of yours and generates a new cert for
you, giving you access to their file system. Someone breaks into their file
system and does damage, wiping out the audit logs of who broke in. So, Acme
asks the age-old Perry Mason question: who had keys to that door? Your cert
(even though you never saw it) is a key to that door. That makes you a
suspect. If for other reasons you might be even the most logical suspect, then
you might make it to the top of the police list and get severely hassled.

If certs all had to be signed by their subjects as well as their issuers, then
we avoid this attack.

So, since we're not lawyers -- the question we need answered is whether the
attack above is credible and whether we should bother having dual signed certs
to protect against it. [Ie., require all certs to be dual signed -- not for
granting access, but for taking to court. The second signature doesn't have to
be on the cert itself -- it could be on a receipt for a cert -- like the note I
signed back when companies would issue me brass keys to the front door. The
cert verifier doesn't need to see the receipt. However, if standard practice
is to get signed receipts for each cert issued, then the defense attny could
demand that Acme produce the receipt you signed for your key (cert) -- and if
they can't, then claim that you never received the cert so you couldn't have
been the person breaking in and doing damage.]

Is this something we should worry about, in your opinion? Do you know others
we should ask about this?

Thanks,

Carl

-----BEGIN PGP SIGNATURE-----
Version: 5.0
Charset: noconv

iQCVAwUBM7GZmlQXJENzYr45AQHZLQP/QJCDzoltUnFmVnSe4fZqWGYhhsSCF0pk
PRamzNqKn4Gn3O2s8HvAGTV9U2GdnR2UCL9bIVYeAnZKimi4osOA+yuoBytKnUGy
CpAMvCO+XRO3oZfpPfKosdxs/IZYQSF/bYJVbvDbIkKQVgt9j3Z8OFeR2mUsxupq
uzIlwKjXsyY=
=xNDJ
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+