From: Adam Shostack <adam@homeport.org>
To: cme@cybercash.com (Carl Ellison)
Message Hash: 66583cbedca36614042c55c87c9635de71d65baa3748350a73c10909c3f63004
Message ID: <199609122208.RAA06798@homeport.org>
Reply To: <3.0b11.32.19960912105914.0054f7b0@cybercash.com>
UTC Datetime: 1996-09-13 00:00:52 UTC
Raw Date: Fri, 13 Sep 1996 08:00:52 +0800
From: Adam Shostack <adam@homeport.org>
Date: Fri, 13 Sep 1996 08:00:52 +0800
To: cme@cybercash.com (Carl Ellison)
Subject: Re: ISODE Consortium X.509 Certification system
In-Reply-To: <3.0b11.32.19960912105914.0054f7b0@cybercash.com>
Message-ID: <199609122208.RAA06798@homeport.org>
MIME-Version: 1.0
Content-Type: text
Don't forget there are security vulnerabilities in X.509v3. Ross
Anderson's 'Robustness Principles' paper discusses the weakness of
sign after encrypting. In the Crypto '95 proceedings, or on his web
site.
Adam
Carl Ellison wrote:
| It really bothers me whenever I see someone mouthing plattitudes
| about certificates, like:
|
| >The ITU-T, through X.509, recommend strong authentication based on public
| >key cryptosystems as the basis for providing secure services. The ISODE
| >Consortium uses X.509 as the core of its security strategy.
| >X.509 provides a flexible, scaleable and manageable algorithm-independent
| >authentication infrastructure, which can be used as the basis for a wide
| >range of security services such as message encryption and access control.
|
| Fact is, identity certification (which is what X.509 gives) is neither
| necessary nor sufficient for providing secure services -- and there's
| nothing magic about X.509.
|
| There are marketeers, however, who want the world to believe that the
| generation and use of X.509 certs will somehow give you security -- so they
| can sell machinery or a service which makes those certs.
|
| - Carl
|
| P.S. My USENIX paper giving the case against certification authorities is
| on-line now at <ftp://ftp.clark.net/pub/cme/usenix.ps> =
| <http://www.clark.net/pub/cme/usenix.ps>
|
| +------------------------------------------------------------------+
| |Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme |
| | PGP 2.6.2: 61 E2 DE 7F CB 9D 79 84 E9 C8 04 8B A6 32 21 A2 |
| +-Officer, officer, arrest that man. He's whistling a dirty song.--+
|
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Return to September 1996
Return to “Carl Ellison <cme@cybercash.com>”