pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Is secure communications required?

1995-02-01 17:44:00
from [Jueneman] [Permanent Link] 
I had composed a detailed reply to your comments and Tom's, but my e-mail
processor choked on your reply address. I deleted the period, whereupon I got a
divide by zero exception and lost it all.*$%#!!

The short and sweet of it was that if you want nonrepudiation that is provable
to a third party, you must either use a trusted hird party to look up the CRL
immediately after receiving a message, then bind the CRL and the message
together with his statment that they were processed contemporaneously, OR, you
must send the message to the CA for an authoritative comment. The second is
much simpler, as it avoids any problems with trusted clocks, etc.

You can of course get by with much less, especially for low-value transactions
between business partners that are well established. But in that case you don't
need PEM at all, or even a digital signature. Plain e-mail or a FAX will
suffice, unless you are worried about privacy. 

For many PEM users this 2-party confirmation of certificate validity is
sufficient, and of course PGP users don't worry about revocation at all. But in
the long run PEM was intended to be interoperable with other security services
by means of a common infrastructure. and for such applications nonrepudiation
is more important.

I'd love to see either RFC1422 or PEM/MIME revised to address the possibility
of an on-line certificate VALIDATION service, in addition to the current
quasi-offline certificate Revocation service, but not at the cost of holding up
the spec.

I believe that Sead Mufitc has implemented the on-the-fly certificate
validation service -- perhaps he would like to contribute an RFC or a least a
brief technical note.

I'd also like to have Ned or somebody provide a definitive writeup as to how
best to accommodate thie certificate validation service with a MIME
environment.

Even though PEM may have too much overhead for the routine EDI messages
(although that isn't a given), at least some forms of electronic commerce may
very well be sent using PEM/MIME where formal nonrepudiation would be very
desirable.

Bob


--------------------------------
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Internet: Jueneman(_at_)gte(_dot_)com
FAX: 1-617-466-2603 
Voice: 1-617-466-2820
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Is secure communications required?, Jueneman <=
Previous by Date:  Re: X.509 v3 Standard Extensions PDAM, solo
Next by Date:  Re: Using X.500 lookup protocols for PEM, Tim Howes
Previous by Thread:  Re: re:Using X.500 lookup protocols for PEM, Jueneman
Next by Thread:  MIME/PEM, Amanda Walker
Indexes:  [Date] [Thread] [Top] [All Lists]