[LINK] RFC: Could CAs Be Eavesdropping on Their Clients?

Roger Clarke Roger.Clarke at xamax.com.au
Sun Aug 15 11:21:20 AEST 2010


At 22:54 +1000 14/8/10, Kim Holburn wrote:
>I was thinking about this reading the article and realised that every 
>time or so a certificate is used there is a call to the CA for the CRL 
>or ocsp.  This in itself could be used for traffic analysis.  The data
>probably is logged.

Yep.

"If it becomes routine for signature recipients to check PARRA for 
non-revocation of digital signatures, then PARRA logs will be a 
centralised surveillance facility, capable of indicating which 
cyberspace entities a person is transacting with over a period of 
time. To some extent the surveillance could be real-time, but more 
often would provide logs over time. Either way, police and other 
investigative agencies are likely to show a keen interest, as they 
already do with telephone call data held by carriers." [1]

But, because the uptake of PKI as a whole, and CRLs and OCSP within 
it, has been so dismally low, I can't recall the point Kim makes 
arising even *once* since we wrote that text  ...  13-1/2 years ago 
...


[1] Greenleaf G. & Clarke R. (1997)  'Privacy Implications of Digital 
Signatures'  Proc. IBC Conf. on Digital Signatures, March 1997, at 
http://www.rogerclarke.com/DV/DigSig.html#Publ


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list