pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: A small cloud with a golden lining

1993-10-11 15:18:00
from [kaufman] [Permanent Link] 
If I was nasty CA (like from a rival company) one of the things I can
do is to change the certificates on any PEM messages and thus can
change the attribution of the PEM message.

Since I know the public key used to sign a message, I can generate a new
certificate that has that public key. I just copy over the MIC and the
message body intact and thats it...

The fix is easy to the PEM protocol and also touches on one of the areas
that I think the PEM specs are wrong.

The fix.

PEM should transport RFC822 messages and not just the RFC822 message body.


I assume the situation you're worried about is where the message is
encrypted; if it isn't, the bad guy could just as well compute a new
signature on the plaintext message.  For an encrypted message, the
recipient could be tricked into believing that the faked sender knows
some information that he in fact does not.

I believe the problem you describe is a symptom of a much larger problem.  The
problem is that when you send a mail message, your message assumes a
lot of context but what you sign is just the message.  If someone
sends you a request for authorization to buy a stapler, and you send
back a signed message saying: "Yes, I approve", that message could be
used as evidence that you approved anything for anyone at any time.
(Alternately, you could claim it was meaningless for the same reason).

The solution is to sign everything relevant to set the context of the
message.  The PEM design could have helped you out by automatically
including the TO:, FROM:, CC:, SUBJECT:, and DATE: fields in the message
body without your having to think of it yourself, but as the example
above shows, it still doesn't solve the whole problem.  An implementation
could still do that and still put out valid PEM messages.  Including
the whole RFC822 header is neither necessary nor sufficient.  I would
have opposed it as clumsy if it had been proposed earlier; it
definitely seems late for such a modification now unless it has
spectacularly good side effects for MIME integration.

        --Charlie
        (kaufman(_at_)zk3(_dot_)dec(_dot_)com)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Am. Bar Assn. Infosec. Committee Meeting Notice, BAUM
Next by Date:  PEM: COST-PEM (v 1.1) (Response to S. Kent), sead
Previous by Thread:  Re: A small cloud with a golden lining, Theodore Ts'o
Next by Thread:  Rogue CAs., jueneman%wotan
Indexes:  [Date] [Thread] [Top] [All Lists]