[cryptography] How are expired code-signing certs revoked? (nonrepudiation)
Adam Back
adam at cypherspace.org
Thu Dec 22 03:40:37 EST 2011
Stefan Brands credentials [1] have an anti-lending feature where you have to
know all of the private components in order to make a signature with it.
My proposal related to what you said was to put a high value ecash coin as
one of the private components. Now they have a direct financial incentive -
if they get hacked and their private keys stolen they lose $1m untraceably.
Now thats quite reassuring - and encapsulates a smart contract where they
get an automatic fine, or good behavior bond. I think you could put a
bitcoin in there instead of a high value Brands based ecash coin. Then you
could even tell that it wasnt collected by looking in the spend list.
Adam
[1] http://www.cypherspace.org/credlib/ a library implementing Brands
credentials - it has pointers to the uprove spec, Brands thesis in pdf form
etc.
On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote:
>
>On Wed, 7 Dec 2011, Jon Callas wrote:
>
>>Nonrepudiation is a somewhat daft belief. Let me give a
>>gedankenexperiment. Suppose Alice phones up Bob and says, "Hey,
>>Bob, I just noticed that you have a digital nature from me. Well,
>>ummm, I didn't do it. I have no idea how that could have happened,
>>but it wasn't me." Nonrepudiation is the belief that the
>>probability that Alice is telling the truth is less than 2^{-128},
>>assuming a 3K RSA key or 256-bit ECDSA key either with SHA-256.
>>Moreover, if that signature was made with an ECDSA-521 bit key and
>>SHA-512, then the probability she's telling the truth goes down to
>>2^{-256}.
>>
>>I don't know about you, but I think that the chance that Alice was
>>hacked is greater than 1 in 2^128. In fact, I'm willing to believe
>>that the probability that somehow space aliens, or Alice has an
>>unknown evil twin, or some mad scientist has invented a cloning ray
>>is greater than one in 2^128. Ironically, as the key size goes up,
>>then Alice gets even better excuses. If we used a 1k-bit ECDSA key
>>and a 1024-bit hash, then new reasonable excuses for Alice suggest
>>themselves, like that perhaps she *considered* signing but didn't
>>in this universe, but in a nearby universe (under the many-worlds
>>interpretation of quantum mechanics, which all the cool kids
>>believe in this week) she did, and that signature from a nearby
>>universe somehow leaked over.
>
>
>This is silly - it assumes that there are only two intepretations of
>her statement:
>
>- a true "collision" (something arbitrary computes to her digital
>signature, which she did not actually invoke) which is indeed as
>astronomically unlikely as you propose.
>
>- another unlikely event whose probability happens to be higher than
>the "collision".
>
>But of course there is a much simpler, far more likely explanation,
>and that is that she is lying.
>
>However ... this did get me to thinking ...
>
>Can't this problem be solved by forcing Alice to tie her signing key
>to some other function(s)[1] that she would have a vested interest in
>protecting AND an attacker would have a vested interest in exploiting
>?
>
>I'm thinking along the lines of:
>
>"I know Alice didn't get hacked because I see her bank account didn't
>get emptied, or I see that her ecommerce site did not disappear".
>
>"I know Alice didn't get hacked because the bitcoin wallet that we
>protected with her signing key still has X bitcoins in it, where X is
>the value I perceived our comms/transactions to be worth."
>
>Or whatever.
More information about the cryptography
mailing list