[cryptography] How are expired code-signing certs revoked?

Jon Callas jon at callas.org
Wed Dec 7 17:45:55 EST 2011


> Originally, public key systems were said to possess deliver this property of 'nonrepudiation', meaning a digital signature could effectively authenticate the intent of the party associated with the private key. However, today such a large percentage of endpoint systems (on which the private keys are held) are infected with info-stealing malware that most everyone has plausible deniability about what is signed with their private keys. (Exceptions being perhaps hardware systems that have not been hacked yet and "trust" vendors whose organizations are specifically built on their expertise at handling private keys.)
> 
> So current revocation schemes attempt to preserve nonrepudiation in an attempt to make digital signatures more like binding ink signatures on a contract.
> 
> But automated systems checking for signatures are usually authenticating server certs or validating signed code for execution. In these cases, we definitely need the party who has been compromised to be able to repudiate the evil things that have been been signed by their private key.
> 
> So it seems to me that PKI systems were designed with some sort of leagalistic contract-binding model in mind, when in turns out in practice that security (even of ecommerce transactions) depends more on an efficient repudiation mechanism than the prevention of it!

Marsh, you've hit on a few good points.

The main one is that one of the original purposes of digital signatures is to make it possible to sign a contract between parties that are not physically present. That actually works quite well. But there's been mission creep into absurdity and that happened nearly immediately in the development of digital signatures.

Nonreputiation is one of these. I think that the very idea of nonrepudiation goes back to Leibniz, who thought we could get rid of judges and solve disputes with, "Gentlemen, let us calculate!" That isn't going to happen, and we only have to wave towards Messrs. Russell, Whitehead, Goedel, and Turing (Hi, guys!) and move on.

Nonrepudiation is a somewhat daft belief. Let me give a gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I just noticed that you have a digital nature from me. Well, ummm, I didn't do it. I have no idea how that could have happened, but it wasn't me." Nonrepudiation is the belief that the probability that Alice is telling the truth is less than 2^{-128}, assuming a 3K RSA key or 256-bit ECDSA key either with SHA-256. Moreover, if that signature was made with an ECDSA-521 bit key and SHA-512, then the probability she's telling the truth goes down to 2^{-256}.

I don't know about you, but I think that the chance that Alice was hacked is greater than 1 in 2^128. In fact, I'm willing to believe that the probability that somehow space aliens, or Alice has an unknown evil twin, or some mad scientist has invented a cloning ray is greater than one in 2^128. Ironically, as the key size goes up, then Alice gets even better excuses. If we used a 1k-bit ECDSA key and a 1024-bit hash, then new reasonable excuses for Alice suggest themselves, like that perhaps she *considered* signing but didn't in this universe, but in a nearby universe (under the many-worlds interpretation of quantum mechanics, which all the cool kids believe in this week) she did, and that signature from a nearby universe somehow leaked over. 

This absurd-excuse paradox means that if you *really* believe in non-repudiation, you need not only to avoid keys that are too small, but too large.

Now, in the real world, Alice might repudiate the signature, but pay Bob anyway. Or Bob might just accept Alice's excuse because there are reasonable chances something odd happened (like Alice got hacked). Or Bob might take Alice to court, where a judge or jury would access a constellation of things including the reasonableness of the contract, Alice and Bob's individual reputations, and also some defaults (a five-dollar charge might be presumed to be disputable, and a million-dollar property purchase assumed to not be disputable).

We got to this problem through some reasonable and unreasonable natural human things. We inherently distrust new technologies. There was a time when you couldn't fax a legal document. Then we got used to it. Today, most places will accept an emailed PDF of a scan of a document, but not all. There are a few amusing situations where you take a scan, print it, then fax the paper and it's a legal document, but not that PDF itself, either digitally signed or not.

Nonrepudiation is really an argument that this math combined with some rituals make bits as good as a fax.

Intent is another good point. Contract law and practice has intent wired through it all over the place. Trust is also a huge can of worms, as well as possibly not even being definable.

If we step back, though, this is similar to the code-signing discussion in that there's *mechanism* of PKI and *policy* of PKI. Not only do we conflate the two, but we have a tendency to criticize mechanism because of policy, and vice versa.

That conflation of mechanism and policy is a huge problem, and made worse by those who want to make it a bigger problem, by wanting to encode policy into mechanism. Yeah, yeah, they can never be completely separate, but admitting they aren't the same thing would be a great start.

	Jon


More information about the cryptography mailing list