Re: PKI and Relying Parties

From: Paul Rubin (phr-n2002a@nightsong.com)
Date: 03/27/02 

From: Paul Rubin <phr-n2002a@nightsong.com>
Date: 27 Mar 2002 10:02:41 -0800

Harold Hammond <HammondITS@netscape.net> writes:
> I have a pretty good understand of PKI, however, I'm not sure what would
> be the solution for an enterprise that wishes to be a relying party but
> not a CA. We don't want to be issuing certs. Right now, we don't want
> anyone else to be issuing certs on our behalf. We just want to be able
> to validate certificates. If its a level 3 cert and its from an
> approved CA (or a subondinate of an approved CA) then we can be certain
> of the user's identity and will let then attempt to access our system.

No you really can't be sure. First of all, the cert holder may have
suffered some compromise of their signing key. Second, the CA
verifies applicants' identities pretty carefully, but as any teenager
who's used fake ID to buy beer can tell you, those checks are not
foolproof. A year or so some unidentified sly devil managed to get
Verisign to issue him or her a CODE SIGNING certificate labelled
"Microsoft Corporation", enabling sort of the ultimate computer virus,
a signed code install that verified as coming from Microsoft. MS
had to release a Windows service pack to disable that cert (CRL? Hah!).

If you're trying to use a cert to authenticate a high-value extranet
peer, and you don't want to run your own CA, the safest approach is to
configure your software to accept only specific certs kept in a list
that you maintain. Have the peer get their cert (whether class 3 or
whatever), then you authenticate them offline by whatever method you
desire before installing their cert in your software. Normally
there's enough hassle (both business and technical) in bringing a new
extranet partner online that adding some cert verification doesn't
make it that much worse. But I guess it depends on your specific
situation.

You might want to read Bruce Schneier's article on PKI risks, and
his book "Secrets and Lies".

Relevant Pages

  • RE: integrity and mail encryption
    ... PKI Administrator creates a “passcode” that will allow user to download cert from our Managed PKI web interface. ... User agrees to take full responsibility for the safekeeping and protection of the private key associated with this cert. ... User downloads and installs certificate. ... Smartcard / Token, the cert resides on a smartcard which can also be PIN protected. ...
    (Security-Basics)
  • Re: CAPI2 error 80093005
    ... as you know IIS 4.0 needs Base64 encoded. ... check the PKI documentation whether it support or not. ... > I'm not using the cert server 2.0 but another PKI! ... generated certificate with our PKI ...
    (microsoft.public.inetserver.iis.security)
  • Re: PKI and Relying Parties
    ... > I have a pretty good understand of PKI, however, I'm not sure what would ... the cert holder may have ... verifies applicants' identities pretty carefully, ... peer, and you don't want to run your own CA, the safest approach is to ...
    (comp.security.ssh)
  • Re: PKI and Relying Parties
    ... > If you're trying to use a cert to authenticate a high-value extranet ... > peer, and you don't want to run your own CA, the safest approach is to ... only" certificates ... ...
    (comp.security.ssh)
  • Re: PKI and Relying Parties
    ... > If you're trying to use a cert to authenticate a high-value extranet ... > peer, and you don't want to run your own CA, the safest approach is to ... only" certificates ... ...
    (comp.security.misc)