NESSETT@CCC.NMFECC.GOV (12/21/89)
There was one item raised in the recent discussion of certificates that I feel requires further comment. At least two correspondents pointed out that a recent paper in the Symposium on Operating System Principles notes a vulnerability in X.509. Not having received the proceedings of that symposium as yet, I asked people who are members of the privacy and security research group if they had seen the paper. The chairman of that group, Steve Kent of BBN, sent me the following reply. ---------------------------forwarded message----------------------------- > Dan, > The paper in SOSP notes a vulnerability in the 509 authentication > protocol, which has nothing to do with our use of certificates in mail > or with certificates in general. It is a typical oversight in the > protocol design for the three-way handshake and the paper even proposes > a fix. So, I don't see this criticism of 509 being a significant issue, > just a condemnation of the sloppiness of the standards process. > Steve ---------------------------end of forwarded message---------------------- Dan Nessett
Denis.Russell%newcastle.ac.uk@NSFNET-RELAY.AC.UK (12/21/89)
With reference to: > ... > At least two correspondents pointed out that a recent > paper in the Symposium on Operating System Principles notes a vulnerability in > X.509. Not having received the proceedings of that symposium as yet, I asked > people who are members of the privacy and security research group if they had > seen the paper.... The paper hasn't made it to our library yet either, but I presume (?) that it refers to the work of Burrows, Abadi, and Needham. This can be found in DEC's Systems Research Center Technical Report 39 "A Logic of Authentication", Feb 28, 1989. In this report they analyze several protocols and do indeed point out a problem in X.509 (p 36) and suggest a solution (p 40). The problems are in the same sort of category as the hole in the original Needhan-Schroeder protocol as pointed out by Denning and Sacco, and are to do with the problems (impossibility?) of assuring that the {\it protocols} do not contain logical holes unless a formal method of reasoning about the protocols is used. They provide such a formal method, and the exercise with X.509 is one demonstration of its utility.