Steve,
(Why is it that half of the people on this list are named Steve? Why
am I Bob, and yet I never meet this Alice who keeps talking about me?)
(Sorry about the line-wrapping problem. I use a Windows-based email
program whose editor displays messages being composed in a tiny little
font that only fills about four inches on my screen. It doesn't have a
function to automatically word wrap after the 80th column on a punched
card -- the extra carriage returns are being added by your mailer. But I'll
try to count characters manually to make life easier for everybody.
Is this better?)
I believe that this sort of disclaimer should not be carried with the
x.509 certificates but rather via some other mechanism, perhaps the
signed messages themselves.
I think that a disclaimer is similar in many ways to authorization
information (or dis-authorization). Authorization information
deserves a separate mechanism which should not get mixed up with the
key - name binding mechanism (see ANSI X9F work).
Steve, I understand what you you are saying, but I disagree with you.
Because of the possibility that my keys may be stolen, I firmly believe
that some type of a disclaimer is necessary for my protection. Perhaps
more to the point, many of the employees that I have talked to are
also concerned about the liabilities that might be associated with
their digital signature, and have expressed reluctance to be issued
a certificate until these issues can be resolved. And as I have said
repeatedly, I can't count on my forger to include my disclaimer in
his forged messages.
Now there are several ways this protection could be provided:
1. Consumer-protection legislation and/or a clearly articulated
legal opinion that would firmly establish that, contrary to our
written signature tradition, a signature means NOTHING
until or unless we have something like an ANSI X9F1 certificate
and a well-structured financial tranaction that says it is OK.
Unfortunately, such protection is probably 5 to 10 years away,
at least.
2. The PCAs could provide an equally-clearly articulated statement
that is the equivalent of a Legal Notice, to the effect that it is
the firm intent and understanding of all of the users certified under
that PCA that they are not legally bound by anything they say
(or might be misattributed to them through a forgery). Unfortunately,
for presumably valid business reasons both the RSA Commercial
Hierarchy and the TIS-PCA have so far refused to go along with
that position -- they do not necewssarily want to rule out all
binding uses of digital signatures (and neither do I.) In addition,
Vint Cerf has taken the position that he doesn't think the Internet
Society should encourage the PCAs to take such a position, and
there are some concerns as to whether such a position would
have any legal effect in any case.
3. The CAs could try to impose such a policy. But the same problems
apply as in the case of the PCA, and in addition, there is no
available mechanism to alert the recipient of a document to the
CA's policy.
4. The last link of the chain is the user, and the only mechanism
that is guaranteed to be available and always referenced is the
digital signature certificate.
I would certainly have preferred that such a disclaimer or other
suitable mechanism have been included in the certificate itself,
but the PEM WG decided, for perfectly valid reasons, to adopt the
X.509 certificate. In retrospect, having done so, I wish we had been
more vigorous in insisting that changes be made to X.509, and it
appears that there may yet be time before the 1993 version is set
in concrete. However, the time is now, and we have to make the
best use of the tools that are available.
I think it especially egregious to consider carrying a disclaimer with
the actual name information. The NADF folks strongly recommend using
the "civil naming authorities" to "discover" our distinguished names.
(My parents named me Steve, not SteveCounterSignatureRequired).
I respect your opinion, but again I disagree. First of all, the NADF
only represents a consortium of a number of potential players X.500
directory providers in North America, and we need a system that will
work internationally, today. Second, although the "civil naming
authorities" may understand who Steve Dusse is (despite the fact
that I can't properly print your name with the accented e), they
don't understand organizations and certainly not organizational roles,
and therefore they are not likely to be responsible for complete
Distinguished Names.
I don't want to get all hung up on the operation of an X.500 directory,
but I would certainly assume that a browse function could be used to
discover your complete Distinguished Name, including any Description.
In particular, I am NOT assuming that you would have to put the
Description attribute in your X.400 email address! You can certainly
use aliases to point to the complete DN. I would hope that we haven't
become so programmed that we begin to think of our X.500 DNs as our
personal names -- that is a little too dehumanizing.
I understand that my suggestion is a bit of a hack, and that "that isn't
the way that it was supposed to work." As I said, I would prefer that
the information go into the certificate itself, for the reasons I have
spelled out before. But until then, I just can't get very hung up on the
political correctness of what constitutes a "silly" vs. a non-silly
Distinguished Name. It is clear to me that a Description attribute can
be part of an RDN, so it can be used to form the final leaf of the tree.
More importantly, it can be put in the DN portion of the X.509
certificate without doing too much violence to the architecture.
(The implementations may be another story.)
I fully understand and appreciate the issue that you are addressing.
It seems that you are trying to properly set the expectation level of
the receipient of my signed message as to the limits of my signature,
whether I know that receipient or not. Maybe this could be solved in
a slightly different way. Perhaps... (flame shields up) it would be
just as effective if the key holders had a way of conveying their
private-key protection mechanisms in their certificates. Perhaps this
could be considered an attribute of the public key in the certificate
rather than an attribute of the name...
I don't believe that simply telling the world what length keys you have
and how you are going to protect them solves the potential legal
problems if your key is stolen. But if you can think of a different way
of encoding the information, I'm more than willing to listen. Somehow,
though, including a legal disclaimer as an attribute of a public key
seems even worse than including it within the DN. But is your point that
we might be able to modify the algorithm description more easily
than the entire X.509 certificate definition?
Thanks for providing the information about TIPEM and CIS. I assumed
as much, but we have not yet created such a certificate in order to
try it.
Cheers,
Steve (I have no authority, why would anyone want to impersonate me)
Dusse
If and when you get around to using your own products e.g., RSA
CHECK and RSA SIGN, if not PEM) to digitally sign your software),
as you and all the other PEM implementors veally ought to do
[editorial opinion], someone might very well want to impersonate you.
In fact, considering the importance of that code, attacking TIPEM
might be a very lucrative approach. Now, if someone finds a Trojan
Horse in code that was apparently signed with your signature, would
you care? Would RSA care? Would someone who got burned decide
to sue you, RSA, the Internet, and anything that moves? Probably, but
would they win? Who knows? Who wants to take the risk?
My phone, office, desk, and computer are the property of the company
but the opinions are mine.
You're not married? :-)
Regards,
Bob [You don't have to be paranoid to have enemies -- but it helps]
Jueneman