[cryptography] How are expired code-signing certs revoked? (nonrepudiation)

Adam Back adam at cypherspace.org
Thu Dec 22 03:40:37 EST 2011

Stefan Brands credentials [1] have an anti-lending feature where you have to
know all of the private components in order to make a signature with it.

My proposal related to what you said was to put a high value ecash coin as
one of the private components.  Now they have a direct financial incentive -
if they get hacked and their private keys stolen they lose $1m untraceably.

Now thats quite reassuring - and encapsulates a smart contract where they
get an automatic fine, or good behavior bond.  I think you could put a
bitcoin in there instead of a high value Brands based ecash coin.  Then you
could even tell that it wasnt collected by looking in the spend list.


[1] http://www.cypherspace.org/credlib/ a library implementing Brands
credentials - it has pointers to the uprove spec, Brands thesis in pdf form

On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote:
>On Wed, 7 Dec 2011, Jon Callas wrote:
>>Nonrepudiation is a somewhat daft belief. Let me give a 
>>gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, 
>>Bob, I just noticed that you have a digital nature from me. Well, 
>>ummm, I didn't do it. I have no idea how that could have happened, 
>>but it wasn't me." Nonrepudiation is the belief that the 
>>probability that Alice is telling the truth is less than 2^{-128}, 
>>assuming a 3K RSA key or 256-bit ECDSA key either with SHA-256. 
>>Moreover, if that signature was made with an ECDSA-521 bit key and 
>>SHA-512, then the probability she's telling the truth goes down to 
>>I don't know about you, but I think that the chance that Alice was 
>>hacked is greater than 1 in 2^128. In fact, I'm willing to believe 
>>that the probability that somehow space aliens, or Alice has an 
>>unknown evil twin, or some mad scientist has invented a cloning ray 
>>is greater than one in 2^128. Ironically, as the key size goes up, 
>>then Alice gets even better excuses. If we used a 1k-bit ECDSA key 
>>and a 1024-bit hash, then new reasonable excuses for Alice suggest 
>>themselves, like that perhaps she *considered* signing but didn't 
>>in this universe, but in a nearby universe (under the many-worlds 
>>interpretation of quantum mechanics, which all the cool kids 
>>believe in this week) she did, and that signature from a nearby 
>>universe somehow leaked over.
>This is silly - it assumes that there are only two intepretations of 
>her statement:
>- a true "collision" (something arbitrary computes to her digital 
>signature, which she did not actually invoke) which is indeed as 
>astronomically unlikely as you propose.
>- another unlikely event whose probability happens to be higher than 
>the "collision".
>But of course there is a much simpler, far more likely explanation, 
>and that is that she is lying.
>However ... this did get me to thinking ...
>Can't this problem be solved by forcing Alice to tie her signing key 
>to some other function(s)[1] that she would have a vested interest in 
>protecting AND an attacker would have a vested interest in exploiting 
>I'm thinking along the lines of:
>"I know Alice didn't get hacked because I see her bank account didn't 
>get emptied, or I see that her ecommerce site did not disappear".
>"I know Alice didn't get hacked because the bitcoin wallet that we 
>protected with her signing key still has X bitcoins in it, where X is 
>the value I perceived our comms/transactions to be worth."
>Or whatever.

More information about the cryptography mailing list