[cap-talk] [Fwd: Re: [e-lang] What do CAs contribute...an ironic short term benefit]

Bill Frantz frantz at pwpconsult.com
Wed Feb 16 18:13:29 EST 2005 

On 2/16/05, David Hopwood <david.nospam.hopwood at blueyonder.co.uk> wrote:
>Bill Frantz wrote:
>> On 2/9/05, marcs at skyhunter.com (marcs) wrote:
>> 
>>>Uh...hmmm....now that I've assigned a pet name to that certificate, which is
>>>a unique identifier all on its own...remind me, what value is Verisign
>>>giving me?
>> 
>> Verisign is letting the owner of that certificate (Mark Miller) generate a
>> new key and pass the trust you have in the current key into the new one.
>
>Verisign isn't needed for that. Use an off-line master key to sign on-line
>subkeys, like in OpenPGP, SPKI, or if you must use X.509, proxy certificates
>(RFC 3820).
>
>If the master key is lost or compromised, then reestablishing the petname-
>master key binding is no more difficult than it was in the first place.
>This is not a common enough case to justify the vulnerability to a CA.

I think the re-keying problem is an enormous problem which has not yet been discussed.  There are a number of reasons for re-keying, including:

* The key has been around for a while.  A draft NIST document <http://csrc.nist.gov/encryption/kms/key-management-guideline-(workshop).pdf> suggested that private authentication key have a maximum life of 1 to 2 years.

* The key has been used to encrypt a bunch of data.  Steve Bellovin wrote, "When using [Triple DES with] CBC mode, one should not encrypt more than 2^32 64-bit blocks under a given key.  That comes to ~275G bits, which means that on a GigE link running flat out you need to rekey at least every 5 minutes, which is often impractical.

* The algorithm has been broken or weakened.  For example, there is a new attack against SHA1 (see <http://www.schneier.com/blog/archives/2005/02/sha1_broken.html>).  Since E uses SHA1(public key) as a secure identifier (for vats), E should look for an alternative algorithm.

If the goal is to establish a long-term, cryptographically verified, identity, but still allow re-keying and algorithm changes, some sort of trusted third party may be the best engineering solution.

I think the need to change algorithms is perhaps the most difficult problem to deal with.  If we assume that RSA falls to a practical quantum computer, and that there is a replacement public key algorithm, then it is not clear to me how to take the trust in the long-term RSA master key and move it to a new long-term key.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle 
(408)356-8506      | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, CA 95032

More information about the cap-talk mailing list