[LINK] RFC: Could CAs Be Eavesdropping on Their Clients?

Kim Holburn kim at holburn.net
Sun Aug 15 13:22:09 AEST 2010 

On 2010/Aug/15, at 11:21 AM, Roger Clarke wrote:

> At 22:54 +1000 14/8/10, Kim Holburn wrote:
>> I was thinking about this reading the article and realised that every
>> time or so a certificate is used there is a call to the CA for the  
>> CRL
>> or ocsp.  This in itself could be used for traffic analysis.  The  
>> data
>> probably is logged.
>
> Yep.
>
> "If it becomes routine for signature recipients to check PARRA for
> non-revocation of digital signatures, then PARRA logs will be a
> centralised surveillance facility, capable of indicating which
> cyberspace entities a person is transacting with over a period of
> time. To some extent the surveillance could be real-time, but more
> often would provide logs over time. Either way, police and other
> investigative agencies are likely to show a keen interest, as they
> already do with telephone call data held by carriers." [1]

Wouldn't this be a good reason not to go down the "Policy And Root  
Registration Authority" route?  On the other hand it looks from  
discussions here that only CAs with a separate vested interest in  
authenticating members is going to do a decent job of it.  That looks  
a lot like government to me.  It might be arguably OK to leak  
revocation requests to our government but to other governments?

> But, because the uptake of PKI as a whole, and CRLs and OCSP within
> it, has been so dismally low, I can't recall the point Kim makes
> arising even *once* since we wrote that text  ...  13-1/2 years ago
> ...

We all after all do use web certificates nearly every day.  That's not  
dismally low.  Those web certificates are PK certificates based on an  
infrastructure, maybe not a secure one.  Perhaps our browsers don't  
check for revocation.  That's just as bad or worse really.

> [1] Greenleaf G. & Clarke R. (1997)  'Privacy Implications of Digital
> Signatures'  Proc. IBC Conf. on Digital Signatures, March 1997, at
> http://www.rogerclarke.com/DV/DigSig.html#Publ


-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list