RE: Combo DSS/ElGamal keys

[dpkemp@missi.ncsc.mil (David P. Kemp)]

> From: Carlisle Adams <Cadams@entrust.com>
>
> Maybe I haven't seen the full details of this proposal, but what you've
> written here doesn't make sense to me.  If the DH public value is in a
> *certificate*, why would another public value (in this case a DSS value)
> _in_the_same_certificate_ be useful for authenticating the DH exchange?
> 
> In other words, if you trust the certificate to tie the DSS public value
> to an entity, why can you not trust the certificate to tie the DH public
> value to an entity?  What further authentication assurance does the DSS
> key (in the same certificate as the DH value) have?


One situation where this is needed is in email, where you have only one
message to establish the key, not a two or three message interactive
handshake.

"Paul's book :-)" (the Handbook of Applied Cryptograpy) describes El Gamal
key agreement in section 12.6 and calls it "half-certified Diffie-Hellman".
In it, the recipient is authenticated to the originator by the D-H
certificate, but if the recipient wants to authenticate the originator,
some other mechanism (such as a signature certificate) is needed.
So 1-message protocols which use CAs to certify key establishment keys
might find a DH-with-DSS certificate (to be used only for an atomic key
establishment algorithm) to be appropriate.

But specifically for PGP, if an issuer certifies the user's DSS key and
the user signs his own DH public key, then the issue of multiple-key
certificates does not even come up - the DH and DSS keys are signed by
different entities, even if they do happen to be aggregated together in
some larger certificate-containing structure.