Re: Are ++ and -- operators really more efficient

Keith Thompson <kst-u@xxxxxxx> writes:

Mark Wooding <mdw@xxxxxxxxxxxxxxxx> writes:
But there's no need to send the certificate. An indication of the right
key is sufficient -- and that needn't be any longer than a tinyurl
suffix (i.e., without the `http://tinyurl.com/' on the front).

But you still need a way to verify that it's the right key. If I want
to forge a message so that it appears to be from you, I can trivially
generate a PGP key for "Mark Wooding <mdw@xxxxxxxxxxxxxxxx>", upload
it to the servers, and use it to sign my forgeries.

You've misunderstood my point. Consider an alternate world where S/MIME
was designed slightly differently. Rather than containing the public
key certificate chain directly, the signature contains a URL indicating
where the certificate can be found. This is a simple indirection step.
Clients verifying signatures need to fetch the certificate in order to
be able to display the signer's identity; clients might maintain a
cache, or simply rely on a caching web proxy. (It'll a plain HTTP URL:
there's no need for heavyweight HTTPS here.)

What can an adversary do to this scheme that he can't do to current
S/MIME? Well, he can impersonate the HTTP server, e.g., by DNS
poisoning or something; or he can just swap the URL for a different one.
Either way, he gets to substitute a different certificate. But this
isn't different from S/MIME, where he could just swap the certificate in
the signature.

Besides, in fact none of this really matters. `Keith Thompson', to me,
is nothing but a label I have for a source of wisdom on matters of C.
If you sign your articles (and I care to verify them -- which, as a
matter of course, I don't) then what I really care about is that your
/public key/ denotes a source of C wisdom. Public keys are long and
hard to remember, but I can give them nicknames -- maybe I'd call it
`Keith Thompson'. (This idea that public keys represent principals --
rather than attempting to introduce an indirection layer between public
keys and real-world identities -- underlies the SPKI/SDSI system.)

Finally, there's another problem which signatures just don't address. I
could, quite easily, start (re-)signing your messages using my key (with
a sock-puppet name attached). There's no particularly interesting
change here -- the credit which should have gone to `Keith Thompson' now
goes to `mdw's sock puppet', but this is a trivial renaming. But I can
do worse: I could also (re-)sign messages from (say) Han from China
(maybe editing them slightly). Now everyone who gets messages through
me (could be quite a lot of people, if I play stupid games with cancel
messages and so on) thinks that their previously reliable source has
become a ghastly troll.

It's a bit far-fetched. But it's still vaguely possible, and there just
isn't any crypto you can use to stop it. Sorry.

-- [mdw]
.

Relevant Pages

  • Re: how can we restrict what certificate WSE will use?
    ... > X509SecurityTokenManager to verify the request is from a trusted client. ... > certificate to build a valid signature and encrypted data section. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Problem verifying a X509Certificates signature
    ... One of the methods I am implementing is the Verify method. ... X509CertificateEnhanced) is signed by the public key (of another ... certificate) passed as a parameter. ... certificate's signature, to be used in the "rgbSignature" parameter. ...
    (microsoft.public.dotnet.security)
  • Re: Check EXE for MY signature only
    ... signature - but at least the code-signing certificate would reveal WHO ... I am trying to figure out how to verify that a dll is signed by my own ... I should probably compare the public key, ...
    (microsoft.public.platformsdk.security)
  • Re: Problem verifying a X509Certificates signature
    ... hash they use to verify the signature is calculated from the ... ASN1 part of the X509 certificate structure that does not include the ... X509Certificate.GetCertHash() did not return the hash of the ... >> One of the methods I am implementing is the Verify method. ...
    (microsoft.public.dotnet.security)
  • Re: What is a Certificate?
    ... > signature on the certificate was generated by its own key, ... basically there you have a trusted repository of public keys. ... CA public keys are also typically in a trusted repository of public ...
    (comp.security.misc)