Key selector survey


Steve Kent writes:

      Still, this does not address the question of whether the
design of a system that facilitates communication without transmission
of certificates should be a goal of PEM.  Rhys gave some examples of
why he thought that might be a goal.  I'm not convinced that trying to
keep public keys secret is at all an appropriate access control model,
but the WG should decide that.  A more likely rationale is an attempt
at prevent traffic analysis, but TA was explicitly reuled out as a
security service for PEM in 1421, so this motivation would represent a
definate change of direction.


Steve, your message conveys the severity of introducing traffic
analysis as a security service.  Implementing TA security is not to be
taken lightly, and introducing a key selector only begins to address
the issues.

I would like to make an informal survey so we know what concerns we
are really addressing.  I especially ask for response from people who
have been vocal in favor of the key selector: warlord(_at_)mit(_dot_)edu,
rhys(_at_)fit(_dot_)qut(_dot_)edu(_dot_)au, wford(_at_)bnr(_dot_)ca, 
williams(_at_)atlas(_dot_)arc(_dot_)nasa(_dot_)gov,
perry(_at_)snark(_dot_)imsi(_dot_)com, vitor(_at_)uminho(_dot_)pt, 
galvin(_at_)tis(_dot_)com(_dot_)

1. Do you want the key selector because it hides the public key so
that people cannot factor the modulus?

2. If yes, would simply using a digest of the public key suffice (as
Burt Kaliski of RSADSI proposes, see included message below)?

3. Do you want the key selector because it wards off traffic analysis
so that the identities of the originators and recipients can be
concealed?

4. If yes, should we formally propose this as a design goal for
MIME/PEM and spend the time necessary to address all the issues
implied by such a goal (versus adding this service later, etc.)?

In general, if the answer to #1 is yes, I think we can reach closure
almost immediately.  If the answer to #3 is yes, more discussion is
needed.

- Jeff

Included message from Burt about using a digest of the public key:

  Which brings us back to the early proposal to identify public keys by 
  their message digest. The syntax:

    <digest algorithm identifier>, <digest of DER-encoded public key>

  should work just fine. (It works for all types of key, and the size is 
  constant.)

  -- Burt Kaliski
  RSA Laboratories

<Prev in Thread]	Current Thread	[Next in Thread>
Re: voting, (continued) Re: voting, Peter Williams Re: voting, James M Galvin Re: voting, Jeff Thompson Re: voting, Mr Rhys Weatherley Re: voting, Peter Williams Re: unpublished public keys (was: voting), James M Galvin Re: unpublished public keys (was: voting), Jeff Thompson Re: unpublished public keys (was: voting), James M Galvin Re: unpublished public keys (was: voting), Jeff Thompson Re: unpublished public keys (was: voting), Steve Kent Key selector survey, jefft <= Re: Key selector survey, Mr Rhys Weatherley Re: voting, Dave Crocker Re: voting, Steve Crocker Re: voting, Peter Williams Re: voting, Steve Crocker

Previous by Date:	Re: limitations of mime-pem transformation, Steve Crocker
Next by Date:	Re: summary of technical issues, Jamey Maze
Previous by Thread:	Re: unpublished public keys (was: voting), Steve Kent
Next by Thread:	Re: Key selector survey, Mr Rhys Weatherley
Indexes:	[Date] [Thread] [Top] [All Lists]