> And a validate service might be run on a 10% untrusted > machine in a locked No, there is a very precise meaning here. In the case of a locate service that only returns certificates the locate service is NOT TRUSTED in a formally defined sense. I.E. we can assume a total compromise of the Locate service, Mallet has full control over it and there is no compromise of the system other than a loss of service. This is the case because despite having full control over the service Mallet does not have the means to create certificates. The only thing that Mallet can do is to deny that the certificate exists which is a denial of service attack but does not lead to either a disclosure failure or an integrity failure. Failure of as validate service MAY result in a failure of the system as a whole because the client MAY rely on it. There is no such thing as a 10% untrusted system, it is like being pregnant, either you are trusted or you are not. The confusion arises when people equate trusted with being trustworthy. the most remarkable example of which being the DNS system which is certainly trusted (attack that successfully and you can redirect traffic for the entire internet) but is not trustworthy by cryptographic criteria unless DNSSEC is deployed since by default the responses are not authenticated. Phill
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2007 14:30:56 GMT