ietf-smime
[Top] [All Lists]

RE: Problem for public CAs

2000-02-07 13:40:03


-----Original Message-----
From: HORII Naoto [mailto:Naoto(_dot_)Horii(_at_)swift(_dot_)com]
Sent: Monday, February 07, 2000 1:33 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Problem for public CAs



Item 3 would typically be implemented by restricting the type of questions a
client can ask to the CA:

1) S/MIME certificates would be returned only if the subjectAltname is
unambiguously specified - e.g.

client: search certificate for 
subjectAltname=lawsg(_at_)it(_dot_)postoffice(_dot_)co(_dot_)uk
server: OK, certificate=blah

client: search certificate for 
subjectAltname=*(_at_)it(_dot_)postoffice(_dot_)co(_dot_)uk
server: ERROR, inavlid search key

For such a protection scheme to work, your directory server must obviously
be able to validate/
sanitize a search key against access rules - e.g. "no wildcards allowed in
search keys" - before
forwarding the search to your directory's backend engine.

<snip>

AWA: Of course, this doesn't work if you allow me an unlimited number of
queries to your directory.  I'll just start with some of the more "obvious"
possibilities and work my way out; e.g.,

        search for:  certificate for smith(_at_)company(_dot_)com
                       certificate for jsmith(_at_)company(_dot_)com
                         certificate for smithj(_at_)company(_dot_)com
                         ...

It's not real efficient, but hey, that's what computer programs are for. :-)
Sooner or later, I'll get a reasonable number of certs, and away I go.  I'll
chew up a lot of network bandwidth and leave footprints all over your
directory, but if you let me search like this, it's worth it - if there's
money to be made in spamming, I don't care what it costs you for me to get
the addresses. :-)  

                                Al Arsenault

-- insert usual disclaimer about this being my opinion, and not reflecting
the opinion of my employer or of any other organization with which I have a
relationship

-- insert second disclaimer: no, I don't spam, I don't like spam, I don't
harvest names to help somebody else spam;...


<Prev in Thread] Current Thread [Next in Thread>