[cryptography] How are expired code-signing certs revoked? (nonrepudiation)

John Case case at SDF.ORG
Thu Dec 22 02:17:21 EST 2011


On Wed, 7 Dec 2011, Jon Callas wrote:

> Nonrepudiation is a somewhat daft belief. Let me give a 
> gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I 
> just noticed that you have a digital nature from me. Well, ummm, I 
> didn't do it. I have no idea how that could have happened, but it wasn't 
> me." Nonrepudiation is the belief that the probability that Alice is 
> telling the truth is less than 2^{-128}, assuming a 3K RSA key or 
> 256-bit ECDSA key either with SHA-256. Moreover, if that signature was 
> made with an ECDSA-521 bit key and SHA-512, then the probability she's 
> telling the truth goes down to 2^{-256}.
>
> I don't know about you, but I think that the chance that Alice was 
> hacked is greater than 1 in 2^128. In fact, I'm willing to believe that 
> the probability that somehow space aliens, or Alice has an unknown evil 
> twin, or some mad scientist has invented a cloning ray is greater than 
> one in 2^128. Ironically, as the key size goes up, then Alice gets even 
> better excuses. If we used a 1k-bit ECDSA key and a 1024-bit hash, then 
> new reasonable excuses for Alice suggest themselves, like that perhaps 
> she *considered* signing but didn't in this universe, but in a nearby 
> universe (under the many-worlds interpretation of quantum mechanics, 
> which all the cool kids believe in this week) she did, and that 
> signature from a nearby universe somehow leaked over.


This is silly - it assumes that there are only two intepretations of her 
statement:

- a true "collision" (something arbitrary computes to her digital 
signature, which she did not actually invoke) which is indeed as 
astronomically unlikely as you propose.

- another unlikely event whose probability happens to be higher than the 
"collision".

But of course there is a much simpler, far more likely explanation, and 
that is that she is lying.

However ... this did get me to thinking ...

Can't this problem be solved by forcing Alice to tie her signing key to 
some other function(s)[1] that she would have a vested interest in 
protecting AND an attacker would have a vested interest in exploiting ?

I'm thinking along the lines of:

"I know Alice didn't get hacked because I see her bank account didn't get 
emptied, or I see that her ecommerce site did not disappear".

"I know Alice didn't get hacked because the bitcoin wallet that we 
protected with her signing key still has X bitcoins in it, where X is the 
value I perceived our comms/transactions to be worth."

Or whatever.


[1] I have no implementation details for this.  Especially the part about 
how Bob can determine that this tie has been made, and that the tie has 
sufficient value to assure him, etc.



More information about the cryptography mailing list