[cryptography] How are expired code-signing certs revoked? (nonrepudiation)

ianG iang at iang.org
Thu Dec 22 04:01:52 EST 2011

On 22/12/11 18:17 PM, John Case wrote:
> On Wed, 7 Dec 2011, Jon Callas wrote:
>> Nonrepudiation is a somewhat daft belief.


>> Let me give a gedankenexperiment. Suppose Alice phones up Bob and 
>> says, "Hey, Bob, I just noticed that you have a digital nature from 
>> me. Well, ummm, I didn't do it. I have no idea how that could have 
>> happened, but it wasn't me." Nonrepudiation is the belief that the 
>> probability that Alice is telling the truth is less than 2^{-128}, 
>> assuming a 3K RSA key or 256-bit ECDSA key either with SHA-256. 
>> Moreover, if that signature was made with an ECDSA-521 bit key and 
>> SHA-512, then the probability she's telling the truth goes down to 
>> 2^{-256}.
>> I don't know about you, but I think that the chance that Alice was 
>> hacked is greater than 1 in 2^128. In fact, I'm willing to believe 
>> that the probability that somehow space aliens, or Alice has an 
>> unknown evil twin, or some mad scientist has invented a cloning ray 
>> is greater than one in 2^128. Ironically, as the key size goes up, 
>> then Alice gets even better excuses. If we used a 1k-bit ECDSA key 
>> and a 1024-bit hash, then new reasonable excuses for Alice suggest 
>> themselves, like that perhaps she *considered* signing but didn't in 
>> this universe, but in a nearby universe (under the many-worlds 
>> interpretation of quantum mechanics, which all the cool kids believe 
>> in this week) she did, and that signature from a nearby universe 
>> somehow leaked over.
> This is silly - it assumes that there are only two intepretations of 
> her statement:
> - a true "collision" (something arbitrary computes to her digital 
> signature, which she did not actually invoke) which is indeed as 
> astronomically unlikely as you propose.
> - another unlikely event whose probability happens to be higher than 
> the "collision".
> But of course there is a much simpler, far more likely explanation, 
> and that is that she is lying.

Actually there is a much simpler, far more likely explanation:  she's 
telling the truth:

        she has no idea how it happened or what it means.

The problem of digital signing is that most all the crypto world think 
that the challenge is to create a a cryptographically secure copy of a 
signature.  It isn't.

The challenge is to emulate signing, not emulate the signature.  Signing 
is something else.  It is, in short, making a mark to record a moment in 
time (in this case likely agreeing to something) so as to remember that 

In law, we can remember that moment in time by thrusting the image of 
the signature in front of Alice and saying "did you make that mark?" or 
in more cautions terms "is that your signature?"  Now, at this stage, if 
it looks like she did make the mark, *or* it looks like her signature, 
we can now clarify things fairly quickly.  You can invent a decision 
tree here, where the interrogation goes one way or another depending on 
how she responds.

Now try the same thing with a digsig.

     "Alice, did you run the formula that resulted in this number:
     over this other number:
     that stamped over this over DOC file?"

The right answer, the *ONLY* answer is:  "I have no clue what you just 

So it fails right there.  A digsig is completely and utterly the most 
lousy signature ever invented because it has no capability to record in 
the mind of the utterer the event at the time.  It's disgustingly bad.  
A 4 year old child could do better, and often does, with paper and crayons.

(Then, you can imagine the mad-techo-french-smartcard-scientists saying,

     "non!  Sacre blue!  Moment, sil vous plait!
     We put le key en le secure plastique un we bla de bla..."

Well no.  It has no more validity as a signature because it fails to 
record the moment to the mind of Alice.  Sorry.  It ain't signing.)

> However ... this did get me to thinking ...
> Can't this problem be solved by forcing Alice to tie her signing key 
> to some other function(s)[1] that she would have a vested interest in 
> protecting AND an attacker would have a vested interest in exploiting ?
> I'm thinking along the lines of:
> "I know Alice didn't get hacked because I see her bank account didn't 
> get emptied, or I see that her ecommerce site did not disappear".
> "I know Alice didn't get hacked because the bitcoin wallet that we 
> protected with her signing key still has X bitcoins in it, where X is 
> the value I perceived our comms/transactions to be worth."
> Or whatever.
> [1] I have no implementation details for this.  Especially the part 
> about how Bob can determine that this tie has been made, and that the 
> tie has sufficient value to assure him, etc.

Yeah, so the protocol known as signing changes depending on the purpose 
and value :)

(Oh, yeah, and that's before we get to non-repudiation........ which 
clashes with law principles at its most foundational...... and if it 
ever happened would lead to mass rioting and plastique bonfires and 
rounding up of whoever was responsible.)

Have a merry XMas !


More information about the cryptography mailing list