Robot CA at toehold.com
David Shaw
dshaw@jabberwocky.com
Tue Dec 10 18:55:02 2002
On Tue, Dec 10, 2002 at 11:39:56AM -0600, Kyle Hasselbacher wrote:
> >This is not necessarily true - I wrote a robot which has the same
> >general concept as the other robots, but does no signing online. I
> >wasn't satisfied with including a key on a internet-connected machine,
> >so the robot code just handles the grunt work and then passes me a
> >list of keys to sign offline. That robot, incidentally, is not
> >running.
>
> Is that really better? I see very similar attacks.
>
> - - Break into the robot box, steal the secret key, use it to sign bogus keys
> until someone notices and revokes it.
>
> - - Break into the robot box, insert bogus keys into the "OK to sign" list,
> get them signed until someone notices.
>
> Not knowing the details of your setup, I don't know if this is a valid
> attack. I think as long as you trust the computer to do the validation
> correctly, you might as well trust it to do the signing too.
Not a valid attack, because it's not an automated process. I am
personally the part of the process that signs the keys and I double
check. ;)
Incidentally, what do you plan to do if/when your robot key gets
compromised? There are a lot of "Granny"s that will need their
configurations updated.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson