[18220] in cryptography@c2.net mail archive
Re: How many wrongs do you need to make a right?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Aug 17 12:33:13 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: pgut001@cs.auckland.ac.nz (Peter Gutmann),
cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 17 Aug 2005 15:24:17 +0200."
<87u0hoae7y.fsf@mid.deneb.enyo.de>
Date: Wed, 17 Aug 2005 12:18:21 -0400
In message <87u0hoae7y.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
>* Steven M. Bellovin:
>
>> In message <87br3wdal7.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
>>
>>>
>>>Can't you strip the certificates which have expired from the CRL? (I
>>>know that with OpenPGP, you can't, but that's a different story.)
>>>
>>>OTOH, I wouldn't be concerned by the file size, although it's
>>>certainly annoying. I would be really worried that the contents of
>>>that CRL leaks sensitive information. At least from a privacy point
>>>of view, this is a big, big problem, especially if you include some
>>>indication which allows you to judge the validity of old signatures.
>>>
>>
>> One can easily conceive of schemes that don't have such problems, such
>> as simply publishing the hash of revoked certificates, or using a Bloom
>> filter based on the hashes.
>
>This doesn't completely eliminate the data leak, as a long as the
>certificates were used in end-to-end communications. Analysis for
>relative outsiders becomes harder, though.
>
Details matter. If two parties do a DH exchange before sending their
certificates, it would take an active attack. In many protocols, one
party authenticates first, thereby preventing an active attack on the
other.
But any CRL scheme exposes knowledge of a compromise to a corrupt
insider -- and they're often the primary party from whom you want to
keep such information.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
