SV: Online Certificate Revocation Protocol

[egil.mannerheim@foreningssparbanken.se]

Bob

You adress som interesting areas. One of them is if and when you need
notarization. In January 2001, Sweden passed a law about qualified digital
signatures, which basiclly states that a qualified digital signature is as
good as/ or better than a hand written signature.

We also have Busniess laws, which regulates how long you have to keep
buisness documents i.e. contracts. Now if our company gets into a legal
dispute after i.e. 15 yrs after a contract was signed, then it´s utterly
important to us that we can verify and validate, when a certifcate was
signed and valid. 

Real case scenario: 10 000 -15000 users (companies) will be able to
digitally sign their tax form and send to the National Tax Board ( swedish
IRS).

Therefore my opinion and conclusion is that:  It´s very important to support
and implement notarization by i.e time-stamping!

With best regards

Egil Mannerheim
Senior IS/IT Security professional



	-----Ursprungligt meddelande-----
	Från:	Bob Jueneman [SMTP:bjueneman@novell.com]
	Skickat:	den 12 juni 2001 19:12
	Till:	mscherling@rsasecurity.com
	Kopia:	ietf-pkix@imc.org
	Ämne:	RE: Online Certificate Revocation Protocol


	Mark, I still disagree.  If a key was deliberately destroyed, then
it is in a considerably less unknown state than it was before. After all,
the question of unknown duplicates, or even known duplicates (escrow) also
applies while the key is in active use, as well.  If the user was sloppy
about the destruction, then maybe he was sloppy about its protection before
the fact, as well, and that is something no notary is going to be able to
help with.

	But I think there may be a more fundamental disconnect.

	My point is that few, if any, people are likely to go to all of the
trouble to time stamp and notarize messages that are received, just so they
can prove at some point after the certificate has expired (or been revoked)
that it was valid at the time the document was signed or the signature was
first verified.  Unfortunately, having spent the last 15 or so years of my
career in this field, I see a very disappointing amount of uptake for PKI
other than for immediate access control decisions (including SSL
certificates).  And despite a number of brave, (and perhaps increasingly
desperate) vendors of time stamping/notarization systems, I see little
indication of any significant deployment of such systems.

	Even if PKI is eventually used and accepted by businesses (and I
certainly hope it will be), most transactions are over and done with at the
time they are first received.  Even those that aren't concluded immediately,
such as back-ordered merchandise, are accepted and held in abeyance.  And
the number of times that the signature validity of such a transaction would
be questioned is virtually nil.  Business simply don't operate on the
fictional "let's do business with complete strangers" model.  Instead,
virtually every business, of whatever type, operates on a cyclical, monthly
statement type of basis, and on the basis of trust between the partners -- a
trust which goes far beyond the simple question of identity.

	While I don't disagree that it might be nice to have all of the
powerful timestamping, etc., mechanisms, available in case they just might
be needed, I would argue that they are far from necessarily in the vast
majority of cases -- maybe 999,999 out of a million. And the cost and
complexity of establishing such mechanisms may not be worth it. We simply
aren't using (nor very likely to use) PKI for the type of enduring
transactions between strangers (wills, deeds of trust, etc.) that gives rise
to the necessity of nonrepudiation measures.  Even in those cases where
documents are examined long after they were written, a legal challenge to
the signature is exceptionally rare.

	The rest of the time, and this was the essence of my previous
comment, it is sufficient to validate the signature at the time it was
received, or shortly thereafter.  If any question arises and the certificate
hasn't expired, then the relying party can revalidate the certificate at
that time and will still receive a valid answer. 

	Perhaps I should state my assumption explicitly: The probability
that a given certificate will need to be reverified declines very sharply
with time after the initial verification, at least for most relevant
business transactions (not including wills and trusts, obviously). Time
stamping is therefore only required if one believes that the transaction
will have significant probative value at some uncertain time in the future,
after the certificate has expired.  

	(True notarization, as opposed to a mere time stamped validity
check, is probably even less necessary. An exception might be for those
transactions (typically involving unsophisticated consumers) where it is
necessary to impress them with the ceremonial importance of their acts and
to act as a true witness for their mental competency, absence of coercion,
etc. as well as justifying the high fees typically involved in such a
routine transaction. Buying or selling a house and taking on a mortgage is
about the only such transaction that people do very often that might benefit
from true notarization, and even then it is quite questionable.  After all,
if you move out of your house and let someone else move in, it is pretty
obvious that you approved of the transaction.  And if you don't pay the
mortgage, the bank will foreclose, regardless of the signature or lack
thereof.)

	If you assume, as I suggested, that private keys and certificates
are taken out of service well before the end of their validity period and
new ones created, i.e., for most transactions the certificate expiration
date will be a year or more in the future, then this is a safe and
reasonable assumption and timestamping is probably not required.  And this
is true regardless of whether the private key was destroyed or not.

	Some correspondents have suggested that providing anything less than
the absolute ultimate in security will prevent PKI from ever getting off the
ground.  While I would hesitate to predict whether or not PKI will ever
succeed, the fundamental problem would seem to be due to spending too much
time and effort to mitigate risks that weren't terribly large to begin with,
or didn't fit a reasonable business model.

	And even then, classical PKI only provides information about an
entity's identity. And identity, while certainly useful for auditing terms,
is neither absolutely necessary nor sufficient for the ultimate purpose,
which is to decide exactly what that entity is trusted to do, or why the
entity should be trusted at all.  Granted, given someone's identity I can
look up their privileges in my locally maintained directory,.but in that
case why do I need a certificate at all, especially if the keys are
ultimately going to be protected with a password in any case.

	Too much mechanism to mitigate too little risk, and this 10 years
after the first PKI standard was first written.  Too little, and much too
late, I am increasingly afraid.

	Bob



	>>> "Scherling, Mark" <mscherling@rsasecurity.com> 06/12/01 09:18AM
>>>

	If there is a notary in the context of the transaction then the
notary would
	be liable for the transaction if the certificate and private key
that signed
	the document originally was proven to be invalid (i.e. key was
assumed
	destroyed but copy made and copy signed document).  I think that we
can
	argue that there was no intent by the owner of the key to sign the
document,
	however their digital signature is attached to the document signed
by the
	notary, who did not know that the key was destroyed (no record of
key
	revocation, certificate is valid, so notary signs).

	I really like the idea of a notary function but you still need to
revoke the
	key if it was destroyed.  A key that was destroyed is in an unknown
state
	(was the key really destroyed and are there no duplicates?).  So the
CA must
	revoke the key to place it in a known state.  The public key can
still be
	used to verify transaction prior to the revocation.  However
anything after
	revocation should be rejected.  I feel that the security risks
associated
	with leaving a key in an unknown state are far greater than the
problems
	associated with revoking a key.  


	-----Original Message-----
	From: Lynn.Wheeler@firstdata.com [mailto:Lynn.Wheeler@firstdata.com]

	Sent: Monday, June 11, 2001 7:04 PM
	To: Carlin Covey
	Cc: ietf-pkix@imc.org 
	Subject: RE: Online Certificate Revocation Protocol





	... as per aside ... having somebody sign a document ... and then a
	notary validate the signature with the public key, and then the
notary
	signs a composite document ... consisting of the originally signed
	document, the signer's public key, and the current time ... and then
log it
	to a secure audit trail ..... could be done completely w/o the
original
	signer's certificate .... since in effect, the notary can perform at
least
	all the feature/function of a RA & CA as part of their function (in
effect
	the composite document that the notary signs .... is a kind of
	certificate).

	It isn't absolutely necessary to know any validity period (from a
	certificate) of the original signer's public/private key .... it is
just
	necessary that the notary validates the information as correct at
the time
	it was signed/validated (and/or can be later shown to be valid at
the time
	of the signing).

	... have you noticed that the postings to the mailing list seems to
have
	some sort of lag? I've yet to see my original reply to you made at
3:59
	(MDT) ... 3 hrs later (presumably you answered the copy of the reply
sent
	directly).






	"Carlin Covey" <ccovey@cylink.com> on 06/11/2001 04:42:12 PM

	To:   Lynn Wheeler/CA/FDMS/FDC@FDC
	cc:   <ietf-pkix@imc.org>
	Subject:  RE: Online Certificate Revocation Protocol


	Lynn,

	I quite agree that notarizing, with or without secure time, is a
more
	comprehensive solution.  I simply proposed one-time signature keys
as an
	example of a situation in which the certificate is expressly
intended to be
	valid after the private key has been destroyed.  Now whether anyone
would
	want to use one-time signature keys is another matter ....

	Regards,

	Carlin

	____________________________

	-  Carlin Covey
	   Cylink Corporation

	-----Original Message-----
	From: Lynn.Wheeler@firstdata.com [mailto:Lynn.Wheeler@firstdata.com]

	Sent: Monday, June 11, 2001 3:59 PM
	To: Carlin Covey
	Cc: Bob Jueneman; ietf-pkix@imc.org 
	Subject: RE: Online Certificate Revocation Protocol




	in many cases, notary can include the idea of (secure) time ....
i.e. that
	not only can you proove who signed it ... but also when it was
signed.

	in principle, private keys (whether compromised or not) should not
be able
	to "pre-date" such a notorized, secure "time" signing.

	typical solution is either a secure audit trail .... and/or to
encapsulate
	the signing inside some other transaction/document which includes a
secure
	time which is then signed by the notary function. The notary
function
	(wether audit trail or encapsulated function) can also include the
business
	function of validating/prooving the original signature (aka the
notary
	attests to the validity of a specific signature at a specific time).

	while a one-time key with non-expiring certificate could meet a
subset of
	the business requirement .... it is not clear how many business
processes
	would need just the subset w/o needing the rest of the capability
(aka, a
	secure audit that establishes the validity of a signature executed
at a
	specific time would subsume the need for a one-time signature key
and also
	meet additional normal, day-to-day business requirements .... aka
not only
	is there the issue of what order a sequence of signatures might have
taken
	place .... but also what order did signatures take place within the
context
	of real-world events and sequences ... i.e. time).

	If you are going to go to all the trouble of a notary ... dump the
stuff
	with the one-time private key .... and meet the rest of the business
	requirements which includes did the signature verify and at what
time did
	the signature verify.






	"Carlin Covey" <ccovey@cylink.com>@mail.imc.org on 06/11/2001
10:00:12 AM

	Sent by:  owner-ietf-pkix@mail.imc.org 


	To:   "Bob Jueneman" <bjueneman@novell.com>
	cc:   <ietf-pkix@imc.org>
	Subject:  RE: Online Certificate Revocation Protocol



	[Bob Jueneman]:

	Indeed, although some have deprecated the concept of a private key
validity
	period, it makes a great deal of sense to DELIBERATELY destroy a
given
	signature key, especially a code or certificate signing key, well
before
	the
	corresponding certificate expires.  From the point of view of the
	certificate subscriber, this minimizes his risk by making certain
that the
	key can NOT be compromised, yet the certificate has not expired or
been
	revoked, so the certificate will continue to validate properly.

	[Carlin Covey]:

	I agree with Bob.  It might even be desirable to use "one-time"
signature
	keys for signing particularly important documents, such as major
contracts,
	wills, etc.   There might even be a "super non-repudiation" policy
	associated with the guaranteed destruction of the signature private
key.
	This might be implemented via some trusted hardware token that
generates
	the
	keypair, signs the document, destroys the private key, and signs a
	notification of private key destruction.  Another possibility is
some sort
	of trusted "key-destruction notary" service that notarizes the
document,
	and
	then destroys the certified one-time signature key as a matter of
policy.

	Regards,

	Carlin

	____________________________

	-  Carlin Covey
	   Cylink Corporation