[cryptography] Math corrections

Arshad Noor arshad.noor at strongauth.com
Wed Sep 21 12:30:19 EDT 2011

On 09/18/2011 11:59 AM, Peter Gutmann wrote:
> Arshad Noor<arshad.noor at strongauth.com>  writes:
>> Just because you come across one compromised CA out of 100 in the browser,
>> does not imply that the remaining 99 are compromised (which is what you are
>> implying with your statement).
> Since browser PKI uses universal implicit cross-certification, it is indeed
> the case that if one CA is compromised, all are compromised.  So Ian is
> correct in his assessment.

I disagree, Peter.

In the first place, as you know, browsers have a trust-store of unique
self-signed TTP CA certificates; not cross-certified certificates.  All
SSL/TLS connections between browsers and a site with an SSL certificate
issued by one of those TTP CA's, involves a *direct* trust-chain.  A
browser user (or manufacturer) always has the ability to delete any TTP
CA certificate from their trust-store and sever the trust-chain, at
will.  Notwithstanding the fact that most users don't know anything
about trust-stores and TTP CA certificates, it does not change the fact
that these are direct and independent trust-chains that can be severed
at will.

Secondly, if one CA is compromised, the only affected users are the ones
who still have that CA's Root certificate in their trust-store and who
happen to rely on a certificate issued by that CA (or its chain).  Any
user that has deleted the compromised CA's certificate can continue to
rely upon *other* TTP certificates/chains without worrying about the
compromised CA's certificates. They have isolated the damage can move

Thirdly, lets assume that the compromised CA has *explicitly* entered
into a cross-certification agreement with one or more other TTP CAs.
In such a situation, I admit that users who have removed the compromised
CA's certificate from their browser, can still become victims of a site
whose certificate was issued by the compromised CA, but whose website
administrator chose to use cross-certified path instead of the direct
path in their web-server's SSL configuration.  This will continue to
validate as a trusted chain in the browser.  However, any TTP CA that
has not revoked the compromised CA's (DigiNotar's) cross-certificate
by now and publicly notified the browser community about such a
revocation, has endangered their own business, much like DigiNotar.
This act, and the fact that the user/browser-vendor can remove the
compromised CA's certificate allows the rest of the internet community
to continue to rely on SSL connections despite the explicit cross-

Are there problems with PKI?  I have already said, undoubtedly.  But,
these are "certificate manufacturing and distribution" problems that
must be addressed.  They are not a fundamental weakness of PKI itself.
As an analogy, let me mention that, when there is an outbreak of
salmonella in - lets say broccoli - everybody recognizes that the
tainting is caused, either in the manufacture or distribution of the
broccoli.  It might be that one or more farms, or one or more
distributors that is at fault.  While, in the short-term broccoli
production might be stopped and/or recalled, rational people recognize
that this is not a fundamental issue with broccoli itself, and do not
go around claiming that all broccoli manufacturers and distributors
are tainted or predicting that broccoli is doomed for the black-hole.

One airplane might have fallen from the sky, gentlemen, but the sky is
not falling down on our heads.

Arshad Noor
StrongAuth, Inc.

P.S.  The use of the term "universal implicit cross-certification"
only serves to add confusion to an already complex field; you are the
only one that uses it (3 of the top 5 responses in a Google search
of this term are from this thread; the remaining two come from your
paper and presentation at IDTrust from some years ago).  It took me
a while to realize that its just your term for "independent trust-
chains" in the browser.  It might help the PKI community if we called
a spade a spade.  Thank you.

More information about the cryptography mailing list