RE: FW: changelog #A1 from Hallam-Baker, Phillip on 2002-12-18 (www-xkms@w3.org from December 2002)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Wed, 18 Dec 2002 10:18:51 -0800
To: Joseph Reagle <reagle@w3.org>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, Slava Galperin <slava.galperin@sun.com>
Cc: "Www-Xkms (E-mail)" <www-xkms@w3.org>
Message-ID: <CE541259607DE94CA2A23816FB49F4A3953C2A@vhqpostal6.verisign.com>

> And a validate service might be run on a 10% untrusted 
> machine in a locked 

No, there is a very precise meaning here.

In the case of a locate service that only returns certificates
the locate service is NOT TRUSTED in a formally defined sense.

I.E. we can assume a total compromise of the Locate service,
Mallet has full control over it and there is no compromise of
the system other than a loss of service.

This is the case because despite having full control over the
service Mallet does not have the means to create certificates.
The only thing that Mallet can do is to deny that the certificate
exists which is a denial of service attack but does not lead
to either a disclosure failure or an integrity failure.


Failure of as validate service MAY result in a failure of the
system as a whole because the client MAY rely on it.

There is no such thing as a 10% untrusted system, it is like 
being pregnant, either you are trusted or you are not.

The confusion arises when people equate trusted with being 
trustworthy. the most remarkable example of which being the
DNS system which is certainly trusted (attack that successfully
and you can redirect traffic for the entire internet) but is
not trustworthy by cryptographic criteria unless DNSSEC is 
deployed since by default the responses are not authenticated.

		Phill

Received on Wednesday, 18 December 2002 13:19:03 UTC