From: p(_dot_)churchyard(_at_)ic(_dot_)ac(_dot_)uk
Date: Fri, 8 Oct 93 15:14:14 bst
Ok, I agree that rogue CA's that are under a trustworthy PCA are a problem.
Having just written some re-signing code for certificate issuing I
has just realized that as a CA I could do this! It was late at night!
They are only a problem for names which are subordinate to that rogue
CA. So what?
[ For this example I will use DNS names rather than X.500 names for the
purpose of clarity; X.500 names seem to cause more confusion than
anything else, unfortunately. ]
Suppose the CA for BOGUS.COM was a rogue CA --- then it could generate
arbitrary fake certificates for tytso(_at_)BOGUS(_dot_)COM, or
jis(_at_)BOGUS(_dot_)COM, or
kent(_at_)BOGUS(_dot_)COM, or anything else. It would, however, not be able to
create fake certificates for tytso(_at_)MIT(_dot_)EDU, since that would break
the
name subordination rule; if programs saw a certificate for
tytso(_at_)MIT(_dot_)EDU, signed by the CA for BOGUS.COM, it would reject it.
In other words, the CA for BOGUS.COM could only fake certificates for
users that very clearly are labeled for BOGUS.COM. It should be very
clear that tytso(_at_)BOGUS(_dot_)COM and tytso(_at_)MIT(_dot_)EDU are two
completely
different identities.
At some level, though, this makes sense. If you are the system
administrator for BOGUS.COM, you can create all the mailboxes for
BOGUS.COM you want --- there's no guarantee that
postmaster(_at_)BOGUS(_dot_)COM,
john(_at_)BOGUS(_dot_)COM, bob(_at_)BOGUS(_dot_)COM, tom(_at_)BOGUS(_dot_)COM
are mailboxes for different
people; they might all be mailboxes for the same person. Why should the
situation be any different for PEM certificates?
This is why I used DNS names for this example. For some strange reason,
while no one would think that tom(_at_)MIT(_dot_)EDU and
tom(_at_)BOGUS(_dot_)COM would be
confused, when the equivalent is done using X.500 names, it somehow adds
enough of an air of mystery that people think that the names would be
confused.
Sigh.... the whole name is important! No one would think about merely
looking at the left-hand-side of an DNS-style email address ---- why do
people think that you can just look at the last component of an
X.500-style name?!?
A different question is could PEM deployment survive the situation where
say a PCA or CA finds its key compromised and thus invalidating all the
certificates issued under it!
Nope, not really. If a CA key gets compromised, the PCA puts the CA's
certificate on its (the PCA's) Certificate Revocation List. The CA then
generates a new public/private key pair, and the PCA signs the CA's new
public key. The CA then needs to create and sign new certificates for
all of its users. (Note that its users do NOT have to generate new
pubic/private key pairs; if the CA has a trustworthy list of its users
and their public keys stashed away someplace, it would be possible for
the CA to generate new certificates for all of its users without even
needing to contact its users.)
So while this may require a lot of work for the CA, it is hardly
impossible. This is one good reaon for using something like the BBN
Safekeeper box to perform CA functions, though. This way, the private
key is inside a tamperproof box, and it is much, much less likely that
the CA private key would get compromised.
- Ted