[cryptography] How are expired code-signing certs revoked?

Florian Weimer fw at deneb.enyo.de
Sun Dec 25 09:32:32 EST 2011


* Jon Callas:

> Nonrepudiation is a somewhat daft belief. Let me give a
> gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob,
> I just noticed that you have a digital nature from me. Well, ummm, I
> didn't do it. I have no idea how that could have happened, but it
> wasn't me." Nonrepudiation is the belief that the probability that
> Alice is telling the truth is less than 2^{-128}, assuming a 3K RSA
> key or 256-bit ECDSA key either with SHA-256. Moreover, if that
> signature was made with an ECDSA-521 bit key and SHA-512, then the
> probability she's telling the truth goes down to 2^{-256}.

Those numbers aren't really important.  In practice, Alice says, "my
secretary signed those documents for me, without me actually knowing
their contents".  This has been successfully used to dispute
commitment to content covered by digital signatures, without a
compromise at the cryptographic level (or even hinting to it).

Two factors make this a plausible defence: It is not reasonable expect
that someone legally in charge can personally witness every business
transaction (this is true even for rather small businesses), and
applicable law generally forbids use of group keys or certificates
issued to legal persons.  Authorizing someone else to create
cryptographic signatures on your behalf is the only way out of this
dilemma.



More information about the cryptography mailing list