[484] in cryptography@c2.net mail archive
Re: Analysis of proposed UK ban on use of non-escrowed crypto.
daemon@ATHENA.MIT.EDU (A. Padgett Peterson P.E. Informati)
Thu Apr 3 15:17:49 1997
Date: Thu, 3 Apr 1997 15:13:40 -0500 (EST)
From: "A. Padgett Peterson P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
To: cryptography@c2.net
I think we are all missing something here. The public key (necessary
for verifying a signature or to encrypt a data stream intended for
that recipient) is all that needs a certificate. There is no need
for the CA to ever have any access to a private key, nor would they
ever want to. This not an exposure but an enhancement.
It does not make the key any stronger or weaker but it does raise the
level of trust that the key and the person are linked.
The CA is actually "notarizing" the key. This activity is usually licensed
by the state so that the seal will be recognized in a court of law. It
*validates* that the person and the signature are linked but says nothing
about the use to which it is put.
GAK/Key Recovery/Key Escrow is OTOH a function relating to the private
key and is entirely different. The proposals I have seen miss this
critical differentiation (or perhaps mix them on purpose).
Certification of the public key does not create any risk of exposure
to the key holder. Liability of the certificate issuer should be limited
to the sanctions of a notary who certifies a signature without proof of
identity. An Escrow Agent OTOH should be liable for the contents of any
message sent with a key that has been improperly disclosed.
As a result when someone says "CA is the same as TTP", I say that this is
not true, a CA is no more (and no less) than a notary - no trust on the
part of the keyholder is involved whereas a TTP who holds *both* keys
must be held to a different and much higher standard and may not be
necessary at all.
Warmly,
Padgett
