[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clipper III analysis



There were a number of flaws in that paper, but perhaps the most glaring to
me is that there are actually 3 classes of key:

the two you mentioned:
	communications key
	storage key
and
	signature key

Of these, you want key recovery *only* for storage keys.  You want to make
sure no one can get to your signature key.  Even the IWG paper notes that.
But the only use for a PKI of any form is for a signature key.  Once you
have your identity established somehow for a signature key, you can
generate and sign comm or storage keys at will.  Furthermore, if you lose a
signature key, there's no big loss.  You generate a new one and get a new
cert for it.  So there's *NEVER* a reason for key recovery for a signature
key -- the only keys for which there is a need for a PKI.

I find myself wondering.

Did some very clever crypto-theoretician plant this idea in their heads
(sig key database giving GAK) knowing that the structure had termites?

I first heard this from Micali...and here I always thought he was on their
side.  I may have misjudged the man. :)

 - Carl


+------------------------------------------------------------------------+
|Carl M. Ellison   [email protected]     http://www.clark.net/pub/cme          |
|PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2|
|  "Officer, officer, arrest that man!  He's whistling a dirty song."    |
+-------------------------------------------- Jean Ellison (aka Mother) -+