[LINK] RFC: Could CAs Be Eavesdropping on Their Clients?
Roger Clarke
Roger.Clarke at xamax.com.au
Sun Aug 15 11:21:20 AEST 2010
At 22:54 +1000 14/8/10, Kim Holburn wrote:
>I was thinking about this reading the article and realised that every
>time or so a certificate is used there is a call to the CA for the CRL
>or ocsp. This in itself could be used for traffic analysis. The data
>probably is logged.
Yep.
"If it becomes routine for signature recipients to check PARRA for
non-revocation of digital signatures, then PARRA logs will be a
centralised surveillance facility, capable of indicating which
cyberspace entities a person is transacting with over a period of
time. To some extent the surveillance could be real-time, but more
often would provide logs over time. Either way, police and other
investigative agencies are likely to show a keen interest, as they
already do with telephone call data held by carriers." [1]
But, because the uptake of PKI as a whole, and CRLs and OCSP within
it, has been so dismally low, I can't recall the point Kim makes
arising even *once* since we wrote that text ... 13-1/2 years ago
...
[1] Greenleaf G. & Clarke R. (1997) 'Privacy Implications of Digital
Signatures' Proc. IBC Conf. on Digital Signatures, March 1997, at
http://www.rogerclarke.com/DV/DigSig.html#Publ
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list