I have several issues with that statement of a threat model.
1. As I mentioned in another post in this group, a cert is a signed statement from a cert issuer, certifying the binding of a name or names to a public key. The statement is either true or false. if any part of it is false, then the statement is false. I would not say that the statement contains a fraudulent value. The presentation of such a false statement is (or may be) an act of fraud.
The relying user only cares about certain fields. If parts of the statement that don't affect the user are false, then that is not a threat.
The private key is a means, not an end. It is not the binding of a name to the key that the user cares about, it is the binding of a name to the communication peer. The key is but an intermediate step in this process--one possible attack is to the binding of name to key, another is to attack the binding of key to peer.
As Ian Grigg mentions, a true but misleading statement is a credible threat. A peer might truly be the entity that registered the domain "www.ebay-reregister.com", but that entity might be a phishing scammer.
I would restate that statement as follows:
A crucial threat is that
(a) an attacker is able to present, to a relying browser (or email) user,
a cert, verifiably signed (possibly indirectly) by a trusted CA's
private key, containing a binding of names to a public key, and
(b) the attacker is able to demonstrate that he holds the private key
that complements the public key in the certificate, even though he
is not the rightful holder of the names in the cert, and
(c) the relying browser user is unable to detect the false presentation
of this cert through various channels of communication of certificate
revocation information from the cert's issuer, with the result that
(d) the browser/email user relies on the false presentation to his
own detriment.
You're using a lot more words than necessary. The main threat is that an attacker can present something that fools the user. All the various ways this could come about are sub-threats, to be listed underneath the main threat.
You miss an important point of the originial statement, that only a subset of the fields in the certificate are relevant to the threat model. If an attacker is only able to get a fraudulent value in the zip code field, that does not necessarily break the security model.
I would add a second statement.
A second crucial thread is that
(a) a relying browser/email user receives a true and proper presentation
of a certificate and cryptographic proof of the presenter's private
key ownership, but
(b) the relying user receives false information concerning the revocation
of the certificate via the channels of communication of such
revocation information, falsely indicating that the certificate has
been revoked, with the result that
(c) the relying email/browser user rejects the truely presented cert,
and does not rely on the information, to the relying user's detriment.
More simply put, this is the denial-of-service threat, that a credentialed peer is unable to present their cert to the user.
Another threat would be that evaluating a cert issued by the CA could cause Mozilla to malfunction. A CA that has malfunctioning or overly fragile OCSP responders would pose such a threat.
OK. Such a threat statement agrees with the view that proper operation of revocation channels, and conveyance of the correct revocation information is also a threat to the relying user.
By "malfunction" I meant stuff like "run slowly, hang, crash, or execute hostile code". My intention was to exclude false positive and false negative revocations from this particular threat.
Fraudulent revocation does not obviously relate to the browser's security model.
It relates to the relying user's security model. The user may be just as harmed by rejecting true information as by accepting false.
OK, denial-of-service is a legitimate threat. It does, however, have a lower cost and many more non-CA-related attack vectors.
Your original statement of threat model seems to speak only to falsification of information at the time of cert issuance;
No, it spoke to falsification of information at the time of presentation to the user. Falsification of information at the time of cert issuance is one attack vector, obtaining the key of the true owner of the identity is another.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
