I think your analysis was pretty darn good. I don't have any points of dispute, just amplifications.
Frank Hecker wrote:
* Regardless of what is done regarding Level 1 CAs, I believe your suggestion about changing Mozilla is worth considering. From my point of view, if a user has been receiving email from a particular address signed with a private key associated with a particular certificate, and then receives a new email message from the same address but signed with a different private key associated with a new certificate from a different CA, then that is a security-relevant event, and should arguably cause Mozilla to issue a warning message.
Right, however it is done, notification of such an event should be made. I think this would be one case where a warning could be justified, not withstanding other discussions (there remains a lot of open experimentation to determine what the best way to deliver warnings is; the current popup method seems not to work well, in general).
As you note, such a warning would be analogous to the warning that SSH displays when you connect to a server and the key appears to have changed. Yes, with SSH we are dealing with self-signed certificates and here with CA-issued certificates, but I think that the underlying situation from the user's point of view is similar: something has happened that may mean that a man in the middle attack has occurred, and the user should be made aware of that possibility.
Right.
I am not convinced by the argument that a warning is not justified because "we can't say any of the certificates is better than the other, because they are all good".
That is a circular argument. The security model *assumes* that all certs are good. What Ben's explanation shows is what happens when all certs are not good. As long as the explanation holds in some practical form, the assumption is shown to be not true in all cases.
The two ways forward are to a) re-affirm the statement that all certs are equal, and accept consequent security holes, or b) break the assumption; all certs are not all good and the model needs to be fixed to cope with that change in the original design assumptions.
Having written that, only one of the above ways goes forward, exactly :)
> If all certificates are equally good, why do
CAs offer different types of certificates associated with different levels of verification (i.e., Level 1, Level 2, etc.)? For that matter, why are there multiple CAs at all? Given that there are multiple CAs, and that those CAs do different levels of verification, it seems to me that if an entity (apparently) switches from using one type of certificate to another type, such a switch means that the perceived level of assurance in the accompanying transaction may change, and that change is worth noting.
Exactly.
(I agree with all the rest!)
iang
PS: As a historical aside, I've been aware of this flaw for some time, thanks to Peter Gutmann (sorry, I haven't got a reference to his writings on this).
But, I dismissed it as irrelevant, for reasons that I now can't fathom; only in discussions here on this list, concluding with Ben's example, has it become apparent how much of a core and killer security bug in the PKI the "all certs are equal" assumption is. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
