Regarding Mail-Based Automatic Responders....
Brad,
You raise some important issues that I will adress below:
1) Speed
First of all, the response is automatic. I don't manually respond to
your DN requests. It is mail-based however, so the speed is
determined by how fast e-mail gets delivered to my host and back to
yours.
2) Practicality
For some applications, this scheme would be good enough for some
otehrs it may not. My guess is that any application which use e-mail
to send messages could handle speed of order O(email). Where email is
the speed of e-mail delivery.
3) Getting Certificates
Actually, you can get my Certificate in a similar fashion. Send mail
to ali(_at_)ctt(_dot_)bellcore(_dot_)com with a subject line of
"CERTIFICATE-REQUEST".
The reason I did not advertise it was because currently you will
receive a *demo* certificate which is not mine.
4) Authenticity, Validity, and Trustworthiness
You touched on an important point. For information that is self
verifiable, this scheme works fine. For example, if you ask for my
certificate, no one else can spoof the response because you can detect
it by verifying my certificate.
The situation is slightly more complicated for DNs. This is because
the DN is a string and by itself may not be sufficiently verifiable.
There are several solutions for this however:
A) I will not send you my DN in a plain message, I will send you a PEM
signed-only message with my DN in the body. This you can verify.
This assumes you trust certificate verification. This is a chicken
and egg problem because the certificate itself uses DN!! :-(
B) You don't trust the DN that you receive by itself. You use X.500
to lookup more information on me. For example my address, phone
number, job, .... and then use that information to verify the DN.
This you can do in many ways:
i) You use out-of-band mechanisms such as calling my phone or
sending me postal mail to get my picture.
ii) Alternatively, the information returned by the X.500
server may alone satisfy you that person is me.
Both of these assume that you have known me, or some information on me.
Also assumed is that you trust the information sent back from the
X.500 directory.
If you have never known me or Mr. Joe Smith, I can walk up to you and
give you a business card saying that I am Joe Smith. I would have a
hard time convincing you that I am Bill Clinton through. :-)
Again, I claim that this solution would suffice for some applications.
However, as I hinted above, we have a problem and I will put my
theoretical hat back on:
What we need is a DN scheme that is self verifiable
With that, you then need secure/verifiable Name Mapping
such as Certificate-Based Name Mapping.
Unless these problems are solved, I claim that no hack will be ideal.
_______________________________________________________________________
Alireza Bahreman E-Mail:
bahreman(_at_)bellcore(_dot_)com
Bellcore, Room RRC-1K221 Phone : +1 908 699 7398
444 Hoes Lane, Piscataway, NJ 08854 Fax : +1 908 336 2943
You write:
You can! For example send a mail to me using my e-mail address
(ali(_at_)ctt(_dot_)bellcore(_dot_)com) with the following subject line:
DISTINGUISHED-NAME-REQUEST
You will get my DN.
Do you seriously think this solution is usable in a production
environment?
It roughly triples the delivery time for email since I have to send a
message to you, then get your DN back, then send you the real message.
Am I correct in assuming that once I have your DN I still have to look
it up in the directory to get your certificate? I suppose if your
going to send me a mail message with your DN in it, you might as well
send me the certificates as well...
For sites that connect once a day with dialup this scheme could be
slower than surface mail!
For that matter, how do I even know that the reply is from you? I have
to trust that your DN which may be something really obscure like
c=us(_at_)o=compuserv@cn=37234806 or something normal looking like
c=us(_at_)st=colorado@l=boulder(_at_)cn=Ali Bahreman is really associated with
your email address <ali(_at_)ctt(_dot_)bellcore(_dot_)com>? Heck, you may
have never
even been to Boulder Colorado and here some bad guy in the middle has
spoofed your DN.
Granted if I _started_ by looking for you in an X.500 directory it
would have been easier, but if I have only your address (which is
common practice today), I've no way of knowing with _any_ certainty
that the DN I get back from such an untrusted request is really yours.
brad