[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

Francisco Corella fcorella at pomcor.com
Tue Feb 14 18:13:40 UTC 2012 

Eddy,

> On 02/14/2012 06:46 AM, From Francisco Corella:
> > I guess you mean that if the relying party downloads a certificate in
> > the body of an HTTP response with a content-type header whose value is
> > a MIME type indicating that the body contains a certificate, and if
> > Firefox "finds a valid key pair" then Firefox will import the
> > certificate automatically.  Did I guess right?
> 
> Yes.
> 
> > Well, depending on the details, that could be a security hole.  If the
> > valid key pair that Firefox finds consists of the publick key in an
> > existing certificate and the associated private key, Firefox could end
> > up replacing the existing certificate with one downloaded by an
> > attacker that binds the public key to the attacker's identity.
> 
> No, if an attacker could do that it'd be too late anyway, then he
> probably could impersonate the entire internet. "Finding" a public key
> that would match a private key is kind of impossible (with sufficient
> key size). But I'm not sure if this is the right forum for such crypto
> stuff.

When you say "Firefox finds a valid key pair" you must be talking
about finding the key pair IN THE BROWSER STORE.  I don't see why it's
impossible to match the public key in the certificate being downloaded
to the public keys found in the browser store.

Anyway, we are going around in circles because the process you use to
generate a certificate and get the browser to import it is not
documented.  You really should document it.  In this day and age it is
not acceptable to use security protocols that are not documented and
open to the scrutiny of others.  Especially if you are running a CA.

Francisco



>________________________________
> From: Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org>
>To: "openid-general at lists.openid.net >> 'openid-general'" <openid-general at lists.openid.net> 
>Sent: Tuesday, February 14, 2012 2:55 AM
>Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
> 
>
>
>On 02/14/2012 06:46 AM, From Francisco Corella: 
>I guess you mean that if the relying party downloads a certificate in
>>the body of an HTTP response with a content-type header whose
        value is
>>a MIME type indicating that the body contains a certificate, and
        if
>>Firefox "finds a valid key pair" then Firefox will import the
>>certificate automatically.  Did I guess right?
>>
>Yes.
>
>
>Well, depending on the details, that could be a security hole.  If the
>>valid key pair that Firefox finds consists of the publick key in
        an
>>existing certificate and the associated private key, Firefox
        could end
>>up replacing the existing certificate with one downloaded by an
>>attacker that binds the public key to the attacker's identity.
>>
>No, if an attacker could do that it'd be too late anyway, then he
    probably could impersonate the entire internet. "Finding" a public
    key that would match a private key is kind  of impossible (with
    sufficient key size). But I'm not sure if this is the right forum
    for such crypto stuff.
>
>
>Regards  
>  
>Signer:  Eddy Nigg, COO/CTO 
>  StartCom Ltd. 
>XMPP:  startcom at startcom.org 
>Blog:  Join the Revolution! 
>Twitter:  Follow Me 
>  
>
>_______________________________________________
>general mailing list
>general at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/737f6a9f/attachment.html>

More information about the general mailing list