Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Friday, February 24, 2006
tight versus loose identity binding...
That last post of mine, I wrote about a year ago (at least according to the date on the file). In that time, I've learned a couple of things, but they only reinforce the concepts I mention.
A company CA verifies that its employees' certificates are, in actually, owned and controlled by employees of the company. This means, effectively, that the company CA maintains the context of the company.
Now, it would be nice (for companies) if they could tightly bind the employee's legal identity with the position within the company. However, there's some issues that make that difficult, including the fact that the certificate goes out to everyone, and even knowledge of the internal structure of a company can be good for people trying to perform social engineering attacks. (Not everything is done electronically, after all -- most things are still done with voice calls.)
Another aspect is that a tight binding like that couldn't actually be created by the company, it would have to be created by the maintainers of the legal identity context. (We've already seen that there aren't any of those, really -- or rather, there's far too many of them.) And promotions/demotions/firings... those would be difficult to deal with, as well, as the credential must be revoked and a new one issued (as appropriate). So, it's a loose binding -- cryptographically speaking. The top executives of corporations are on file with the state they are incorporated in, so there is a tighter binding there... and as we shall see, sometimes that's not such a good idea.
A company CA verifies that its employees' certificates are, in actually, owned and controlled by employees of the company. This means, effectively, that the company CA maintains the context of the company.
Now, it would be nice (for companies) if they could tightly bind the employee's legal identity with the position within the company. However, there's some issues that make that difficult, including the fact that the certificate goes out to everyone, and even knowledge of the internal structure of a company can be good for people trying to perform social engineering attacks. (Not everything is done electronically, after all -- most things are still done with voice calls.)
Another aspect is that a tight binding like that couldn't actually be created by the company, it would have to be created by the maintainers of the legal identity context. (We've already seen that there aren't any of those, really -- or rather, there's far too many of them.) And promotions/demotions/firings... those would be difficult to deal with, as well, as the credential must be revoked and a new one issued (as appropriate). So, it's a loose binding -- cryptographically speaking. The top executives of corporations are on file with the state they are incorporated in, so there is a tighter binding there... and as we shall see, sometimes that's not such a good idea.
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
