IETF Logo Mail Archive

RE: Online Certificate Revocation Protocol

Lynn.Wheeler@firstdata.com Wed, 13 June 2001 07:30 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA17060 for <pkix-archive@odin.ietf.org>; Wed, 13 Jun 2001 03:30:45 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5D6ckh09456 for ietf-pkix-bks; Tue, 12 Jun 2001 23:38:46 -0700 (PDT)
Received: from mail.Firstdatacorp.COM (mail.firstdatacorp.com [204.124.84.42]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5D6cjJ09446 for <ietf-pkix@imc.org>; Tue, 12 Jun 2001 23:38:45 -0700 (PDT)
Received: (from smtp@localhost) by mail.Firstdatacorp.COM (8.9.3/8.9.3) id BAA26662; Wed, 13 Jun 2001 01:24:39 -0500 (CDT)
X-Authentication-Warning: mail.firstdatacorp.com: smtp set sender to <Lynn.Wheeler@firstdata.com> using -f
Received: from () by mail via smap (V2.1) id xma026657; Wed, 13 Jun 01 06:24:12 GMT
Subject: RE: Online Certificate Revocation Protocol
To: "Scherling, Mark" <mscherling@rsasecurity.com>
Cc: Carlin Covey <ccovey@cylink.com>, ietf-pkix@imc.org
From: Lynn.Wheeler@firstdata.com
Date: Wed, 13 Jun 2001 00:32:05 -0700
Message-ID: <OF26FD23BC.B742FF5A-ON88256A6A.0028789E@fdcsg.1dc.com>
X-MIMETrack: Serialize by Router on SRVMTA1/FDR/FDC(Release 5.0.7 |March 21, 2001) at 06/13/2001 01:38:11 AM
MIME-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>


the notary can do what he does today ... certifies that the person
possesses some number of things (like some device for signing which can be
verified with a specific public key) and some number of other things ....
effectively a combination of the existing notary business practices along
with some things like a RA & CA  ....aka the notary is responsible for
whatever the notary standards require the notary to attest to ... if the
notary standard says that the standard is a driver's license, a passport, a
hardware token that requires a PIN, and actually perform a digital
signature ... then the notary can attest to that. If a different notary
standard requires the notary to validate a RA & CA process done by some
other entity (which checked a drivers license, a passport, and that a
specific digital signature could be verified) ... in the form of a valid
digital signature ... then the notary could attest to that.

The notary, in theory, could also do an online validation that a specific
public key was registered to a specific person (say a new kind of online
request sent to one of the existing credit bureaus) ... and that the entity
seemd to be the same (an online request instead of needing a certificate
designed for satisfying authentication requirements in an offline world)
.... it is whatever the notary is supposed to be notarizing.

Just because most existing (capital) PKIs happen to specify certificates
that were a paradigm solution to authentication opportunities in an offline
world ... doesn't necessarily mean that the process that a notary would use
in an online world need be the same





"Scherling, Mark" <mscherling@rsasecurity.com> on 06/12/2001 08:18:37 AM

To:   Lynn Wheeler/CA/FDMS/FDC@FDC, Carlin Covey <ccovey@cylink.com>
cc:   ietf-pkix@imc.org
Subject:  RE: Online Certificate Revocation Protocol


If there is a notary in the context of the transaction then the notary
would
be liable for the transaction if the certificate and private key that
signed
the document originally was proven to be invalid (i.e. key was assumed
destroyed but copy made and copy signed document).  I think that we can
argue that there was no intent by the owner of the key to sign the
document,
however their digital signature is attached to the document signed by the
notary, who did not know that the key was destroyed (no record of key
revocation, certificate is valid, so notary signs).

I really like the idea of a notary function but you still need to revoke
the
key if it was destroyed.  A key that was destroyed is in an unknown state
(was the key really destroyed and are there no duplicates?).  So the CA
must
revoke the key to place it in a known state.  The public key can still be
used to verify transaction prior to the revocation.  However anything after
revocation should be rejected.  I feel that the security risks associated
with leaving a key in an unknown state are far greater than the problems
associated with revoking a key.


-----Original Message-----
From: Lynn.Wheeler@firstdata.com [mailto:Lynn.Wheeler@firstdata.com]
Sent: Monday, June 11, 2001 7:04 PM
To: Carlin Covey
Cc: ietf-pkix@imc.org
Subject: RE: Online Certificate Revocation Protocol





.... as per aside ... having somebody sign a document ... and then a
notary validate the signature with the public key, and then the notary
signs a composite document ... consisting of the originally signed
document, the signer's public key, and the current time ... and then log it
to a secure audit trail ..... could be done completely w/o the original
signer's certificate .... since in effect, the notary can perform at least
all the feature/function of a RA & CA as part of their function (in effect
the composite document that the notary signs .... is a kind of
certificate).

It isn't absolutely necessary to know any validity period (from a
certificate) of the original signer's public/private key .... it is just
necessary that the notary validates the information as correct at the time
it was signed/validated (and/or can be later shown to be valid at the time
of the signing).

.... have you noticed that the postings to the mailing list seems to have
some sort of lag? I've yet to see my original reply to you made at 3:59
(MDT) ... 3 hrs later (presumably you answered the copy of the reply sent
directly).






"Carlin Covey" <ccovey@cylink.com> on 06/11/2001 04:42:12 PM

To:   Lynn Wheeler/CA/FDMS/FDC@FDC
cc:   <ietf-pkix@imc.org>
Subject:  RE: Online Certificate Revocation Protocol


Lynn,

I quite agree that notarizing, with or without secure time, is a more
comprehensive solution.  I simply proposed one-time signature keys as an
example of a situation in which the certificate is expressly intended to be
valid after the private key has been destroyed.  Now whether anyone would
want to use one-time signature keys is another matter ....

Regards,

Carlin

____________________________

-  Carlin Covey
   Cylink Corporation

-----Original Message-----
From: Lynn.Wheeler@firstdata.com [mailto:Lynn.Wheeler@firstdata.com]
Sent: Monday, June 11, 2001 3:59 PM
To: Carlin Covey
Cc: Bob Jueneman; ietf-pkix@imc.org
Subject: RE: Online Certificate Revocation Protocol




in many cases, notary can include the idea of (secure) time .... i.e. that
not only can you proove who signed it ... but also when it was signed.

in principle, private keys (whether compromised or not) should not be able
to "pre-date" such a notorized, secure "time" signing.

typical solution is either a secure audit trail .... and/or to encapsulate
the signing inside some other transaction/document which includes a secure
time which is then signed by the notary function. The notary function
(wether audit trail or encapsulated function) can also include the business
function of validating/prooving the original signature (aka the notary
attests to the validity of a specific signature at a specific time).

while a one-time key with non-expiring certificate could meet a subset of
the business requirement .... it is not clear how many business processes
would need just the subset w/o needing the rest of the capability (aka, a
secure audit that establishes the validity of a signature executed at a
specific time would subsume the need for a one-time signature key and also
meet additional normal, day-to-day business requirements .... aka not only
is there the issue of what order a sequence of signatures might have taken
place .... but also what order did signatures take place within the context
of real-world events and sequences ... i.e. time).

If you are going to go to all the trouble of a notary ... dump the stuff
with the one-time private key .... and meet the rest of the business
requirements which includes did the signature verify and at what time did
the signature verify.






"Carlin Covey" <ccovey@cylink.com>@mail.imc.org on 06/11/2001 10:00:12 AM

Sent by:  owner-ietf-pkix@mail.imc.org


To:   "Bob Jueneman" <bjueneman@novell.com>
cc:   <ietf-pkix@imc.org>
Subject:  RE: Online Certificate Revocation Protocol



[Bob Jueneman]:

Indeed, although some have deprecated the concept of a private key validity
period, it makes a great deal of sense to DELIBERATELY destroy a given
signature key, especially a code or certificate signing key, well before
the
corresponding certificate expires.  From the point of view of the
certificate subscriber, this minimizes his risk by making certain that the
key can NOT be compromised, yet the certificate has not expired or been
revoked, so the certificate will continue to validate properly.

[Carlin Covey]:

I agree with Bob.  It might even be desirable to use "one-time" signature
keys for signing particularly important documents, such as major contracts,
wills, etc.   There might even be a "super non-repudiation" policy
associated with the guaranteed destruction of the signature private key.
This might be implemented via some trusted hardware token that generates
the
keypair, signs the document, destroys the private key, and signs a
notification of private key destruction.  Another possibility is some sort
of trusted "key-destruction notary" service that notarizes the document,
and
then destroys the certified one-time signature key as a matter of policy.

Regards,

Carlin

____________________________

-  Carlin Covey
   Cylink Corporation

v2.23.0 | Report a Bug | By Email