--On Tuesday, December 30, 2008 04:36:12 PM -0600 Nicolas Williams
<Nicolas(_dot_)Williams(_at_)sun(_dot_)com> wrote:
Applying a principle of redundancy in RTI algorithms to symmetric key
protocols is fairly simple. Applying such a principle to PKI seems
rather more difficult -- it's not just hash algorithms, but pk
algorithms too. Your example was to require not just the implementation
of multiple hash (but not pk) algorithms, but to require the *use* of
those. That makes sense to me, but it's not quite the same principle
being applied to PKI as to SSH.
Correct. I'm suggesting that in the case of PKI, merely having two RTI
algorithms wouldn't be sufficient; at least for long-term certificates you
need to actually sign using two algorithms in order to get the
interoperability benefit. Validating using both isn't necessary, though it
does have a benefit, in that no code or configuration changes are required
to continue to be safe as long as at least one is good enough.
IMHO, one of the biggest problems in the current PKI standards is that
there is no ability to future-proof certificates by generating signatures
with multiple algorithms. The result is that you can't start signing with
a new algorithm until everyone understands it, and you can't stop accepting
an old algorithm without either reissuing lots of certificates with a new
one or waiting for them to expire. This means movement is very slow and we
are unable to abandon a broken algorithm in a hurry. The former is poor;
the latter is a disaster waiting to happen.
-- Jeff