Re: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication

["Miller, Timothy J." <tmiller@mitre.org>]

On 12/9/11 11:57 AM, "Adam Langley" <agl@google.com> wrote:

>That doesn't stop a user from being compromised, as you point out. But
>it means that it's possible to answer the question: "what's the
>current set of valid certificates for example.com"?

Actually, not so much.  Since the selection of notaries is potentially
random, an inspection of some m of n notaries only yields a probability
you have to interpret, not an actual answer.  Further, this confidence
score is proportional to the cardinality of the set of notaries, and since
the set of notaries is unbounded this is going to be a problem.

You can require example.com to specify which notaries are authorized to
vouchsafe for example.com certificates, but now you have the problem of
communicating this to the user.  You can't do it in-band because the
attacker will simply supply his own list of colluding (or duped) notaries.
 This is almost exactly the problem you were trying to solve, but removed
to a different level.

>I don't claim that this is perfection, but I'm suggesting that it's an
>improvement, and one that we can reasonably deploy.

Overall I still think it's easier to have the notary (keeping in mind that
the user can be his own notary) observe what example.com publishes by
simply observing example.com directly, then communicate this to the user.
There are fewer moving parts, the code will be simpler, and the assurance
is nearly the same.

-- T