[cryptography] Math corrections [was: Let's go back to the beginning on this]

Marsh Ray marsh at extendedsubset.com
Sun Sep 18 01:37:07 EDT 2011

On 09/17/2011 11:59 PM, Arshad Noor wrote:
> The real problem, however, is not the number of signers or the length
> of the cert-chain; its the quality of the "certificate manufacturing"
> process.

No, you have it exactly backwards.

It really is the fact that there are hundreds of links in the chain and
that the failure of any single weak link results in the failure of the
system as a whole. When the number of CAs is large like it is, it
becomes impossible to make all the CAs reliable enough ("give them
enough nines" of reliability) to end up with an acceptable level of

On 09/15/2011 06:32 PM, dan at geer.org wrote:
> The source of risk is dependence, perhaps especially dependence on
> expectations of system state.

This is an extreme example of that principle.

Your insecurity gets exponentially worse with the the number of
independent CAs.

Something this analysis doesn't capture probably even causes it
understate the problem: CAs aren't failing randomly like earthquakes.
Intelligent attackers are choosing the easiest ones to breach. In other
cases, the CAs themselves will willfully sell you out!

Now you may be a law-and-order type fellow who believes that "lawful
intercept" is a magnificent tool in the glorious war on whatever. But if
so, you have to realize that on the global internet, your own systems
are just as vulnerable to a "lawfully executed" court order gleefully
issued by your adversary (as if they'd even bother with the paperwork).

And don't let anybody tell you that it will be hard for him to pull off 
an active attack on the internet, because in normal circumstances it 
just isn't.

It was demoed for DefCon 18:
> In the case of Kapela and Pilosov’s interception attack, Martin
> Brown of Renesys analyzed that incident and found that within 80
> seconds after Kapela and Pilosov had sent their prefix
> "advertisement" to hijack DefCon’s traffic, 94 percent of the peers
> from whom Renesys collects routing traffic had received the
> advertisement and begun to route DefCon traffic to the eavesdroppers’
> network in New York.

Yep, that's right. IP routes are agreed on based on the honor system.

- Marsh

More information about the cryptography mailing list