At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote: >"Stef Caunter" <[EMAIL PROTECTED]> writes: >> Does a user of ssl services care to know absolutely that they are >> communicating verifiably with whom they believe they have contacted, or does >> the user care to know absolutely that their communication is completely >> private? >These are inextricably connected. If you want to know that >your communications are private in the face of active attack >you need to know who you're talking to as well.
Of course you do. That's why https://store.palm.com/ is such a problem. You thought you were talking to (and wanted to talk to) Palm Computing, just like the logos and page layout said you were. You're not. You're talking to a MITM. Palm hired them to run the store? The certificates don't say that. [snip] >> Why can't self-verification be promoted? Why can't an nslookup call be built >> into certificate presentations? >What are you talking about? An nslookup call wouldn't help anything. >The essential problem is establishing that the public key you receive >over the network actually belongs to the person you think it does. >In the absence of a prior arrangement, the only way we know how >to do this is to have that binding vouched for by a third-party. Actually, Eric, the third party might confuse that for you. The function it performs with respect to naming is not totally unlike the function of early anonymizers. The TTP chooses a name to bind to the public key that might have only a tenuous relation to the name by which you know the keyholder. As a result, when you do a name comparison between the certificate Subject and what you know about this person, "the person you think it does", you may have to make a guess about whether the match is correct. Here we spend all this effort to reduce the probability of error, in the cryptography, to values like 2^{-128} and then make the security decision depend just as much on a guess with a much greater probability of error. From the point of view of error probability, we should have left out the cryptographic part entirely. - Carl P.S. the workshop where we should (and probably will) be discussing this is http://www.cs.dartmouth.edu/~pki02/ and there are still two weeks before papers are due. +--------------------------------------------------------+ |Carl Ellison Intel E: [EMAIL PROTECTED] | |2111 NE 25th Ave M/S JF3-212 T: +1-503-264-2900 | |Hillsboro OR 97124 F: +1-503-264-6225 | |PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 | | 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240 | +--------------------------------------------------------+ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]