Re: SSL info



Anne & Lynn Wheeler <lynn@xxxxxxxxxx> writes:
however, by the mid-90s it was realized that x.509 identity
certificates, typically heavily overloaded with personal information
represented significant privacy and liability issues. as a result,
you saw many institutions dropping back to what they called
relying-party-only certificates ... misc. past posts mentiong
RPO certificates:
http://www.garlic.com/~lynn/subpubkey.html#rpo

for a little drift ... these are a couple of posts that draw the
comparison between some of the current electronic chip passports and
the x.509 identity certificates from the early 90s.
http://www.garlic.com/~lynn/aadsm25.htm#46 Flaw exploited in RFID-enabled passports
http://www.garlic.com/~lynn/aadsm26.htm#0 Flaw in RFID-enabled passports (part 2?)

using that comparison, then there is the possibility that all personal
information would be eliminated from the passport chips ... for
similar privacy and liability reasons that resulted in change-over to
relying-party-only certificates in the mid-90s (and away from x.509
identity certificates frequently overloaded with personal information)
http://www.garlic.com/~lynn/subpubkey.html#rpo

after having worked on SSL-based infrastructure ... that has since come
to be called e-commerce ... previous posts in this thread
http://www.garlic.com/~lynn/2007.html#7 SSL info
http://www.garlic.com/~lynn/2007.html#15 SSL info

we had participated in the x9a10 financial standard working group. In the
mid-90s, x9a10 had been given the requirement to preserve the integrity
of the financial infrastructure for all retail payments
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

it was in this period that we had coined the term certificate
manufactoring to differentiate the commoningly deployed SSL digital
certificate infrastructure (of the period) from "real" PKI:
http://www.garlic.com/~lynn/subpubkey.html#manufacture

it was also in this period that several people made claims that
upgrading financial transactions with client/consumer digital
certificates would bring retail financial transactions in the modern
era.

the issue here (as in the passport case) is that credentials and
certificates are constructs developed for providing trusted
information for an offline environment. in the 70s, electronic payment
networks made the transition from the offline environment to the
online environment ... and supported real-time information regarding
authentication and authorization. digital certificate-based offline
paradigm for financial transactions, rather than representing any
modernization, would result to reverting to pre-70s paradigm.

it was in this period that we also coined the term "comfort
certificates" ... the redundant and superfluous use of stale, static
digital certificates (an offline paradigm construct) in an online
environment. The "comfort certificates" provided familiarity and
comfort to mindsets that were stuck in the old fashion offline
paradigm (which required credentials and certificates to provide
trusted information distribution) ... and had difficulty making the
transition to an trusted online integrity paradigm.

our repeated observations about the offline digital certificate model
actually regressing effective operation by several decades (rather
than any modernization) was some of the motivation behind OCSP (online
certificate status protocol). However, our observation was that it was
really a rube golberg fabrication ... given any operation ... what is
more valuable: ... 1) a real time transaction involving real time
authentication and authorization information ... or 2) a real time
transaction providing status indication about stale, static digital
certificate information.

this was also the period that spawned the infrastructure that enabled
the "yes card" exploits
http://www.garlic.com/~lynn/subintegrity.html#yescard

i.e. adding chips to payment cards for use in retail transactions.
there were some number of claims that adding the chips even increased
the vulnerabilities ... compared to a similar magstripe card w/o a
chip.
.



Relevant Pages

  • Re: X.509 and ssh
    ... Similar improvements are realized if certificates ... TTP/CAs were looking at making the identification useful for relying ... signatures and attached digital certificates to financial transactins ... would modernize financial transactions. ...
    (comp.security.ssh)
  • Re: Problem with Exchange 2003 Offline Address Book
    ... I turned on the logging and seven users have the following error: ... Entry 'USERNAME' has invalid or expired e-mail certificates. ... Default Offline Address List ... How do I remove the invalid or expiered email certificate from their account? ...
    (microsoft.public.exchange.admin)
  • Re: OAB not updating
    ... > This event may indicate invalid User Certificates within the Active ... > Turn OAL Generator Diagnostics Logging to at least "Medium". ... > Rebuild the Offline Address List. ...
    (microsoft.public.exchange2000.admin)
  • Re: Event ID: 9323
    ... Susan Conkey [MVP] ... How do I go about removing certificates? ... OALGen could not generate full details for some entries in the offline ... I changed the event logging for the oal generator to medium. ...
    (microsoft.public.exchange.admin)
  • Re: can a microsoft enteprise Root CA be offline?
    ... > I have notice that if the CA server is offline, ... > cannot be authenticated by the IAS server. ... > Isn=3Ft it suppose that the the certificates are valid by them selfs? ... the root CA must be installed as a Standalone ...
    (microsoft.public.win2000.security)