CA influence over confidentiality

Adam Back aba at dcs.ex.ac.uk
Wed, 8 Jul 1998 20:54:12 +0100 

David Swarbrick writes:
> In message <199807081546.QAA19241@server.eternity.org>, Adam Back
> <aba@dcs.ex.ac.uk> writes
> >I am thinking for example of a DTI licensed CA providing X.509
> >ceritifcates which chooses to provide certification services for
> >authentication only.  Can the CA prevent the certificate from being
> >used to obtain confidentiality, or confidentiality over a certain
> >strength.
> 
> I would assume the authority uses such models and accepts certificates
> as it wants and which comply with the standards. If you want to use a
> standard they do not support, then tough cheddar, find someone who
> supports the software you want to use.

My point was more technical: S/MIME X.509 keys and certificates can
contain a flag called "keyUsage".  This flag allows you to state
things like this key is: "only to be used for verifying signatures",
or "only to be used for sending encrypted messages", or "not to be
used to certify other keys".

The flags are required to be implemented according to the IETF S/MIME
specs (also perhaps PKIX, and TLS) for any implementation wishing to
claim standards compliance.

So the determining factors are:

- what IETF S/MIME standards say
- what Netscape and Microsoft have implemented
- what flags the CA will accept in keys, and what flags CAs will put
  in certificates

I think that the system composed of a CA so disposed, and normal
Netscape or Microsoft software, would allow the CA to negatively
influence the amount of confidentiality you could achieve with the
certificate.  That many users will use this combination is likely
simply because they don't know better.

I was asking for clarification from anyone who has tinkered with
S/MIME in this regard as to what the limits are to what the CA can
achieve in weakening or removing confidentiality.

> More interesting is the question of what subtle influences will be
> brought on CAs by the licensing authorities not to use or support
> proper encryption standards.

I'm think they will use the X.509 standards for S/MIME and SSL/TLS
(web server, and clients), and PKIX (IETF public key infrastructure
group) etc.  There may be some pressure on some groups and CAs to use
Cloud Cover (GCHQ's protocol for key escrow), and more of this below!

It may suprise some as to how much these standards have already been
made key escrow friendly (subverted? or an unintentional consequence
of those involved finding plausible business uses for the mechanisms,
with the nasty side-effect of building the infra structure for key
escrow).

For example X.509 PKIX profile contains explicit structures for key
escrow, all the hooks are in there, in the IETF documents for key
escrow.

The GCHQ Cloud Cover (previously called CASM) protocol for example
builds upon the existing PKIX hooks to create a X.509 profile adding
key escrow.

(Cloud cover specs are at:

	http://www.opengroup.org/public/tech/security/pki/cki/

currently, though I have taken the liberty of keeping a mirror, just
in case :-)

Adam