multiple subkeys and key transition

[Robert J. Hansen]

On 12/9/2010 5:32 PM, Daniel Kahn Gillmor wrote:
> Again, can you give an example of such an exploit?

Here is where I get to say either of, "I don't have to," or "pick one,"
or "you're the one who's positing the attacks."  All I'm positing is
some future attack that will allow people to abuse a cert in a way you
don't like.  You're counseling that people move away from SHA-1 *today*
based on the fear that somewhere someone has already done
chosen-preimage collisions against SHA-1 in a reasonable timeframe.

My assumption is quite a lot weaker than yours.

> "That is not my certificate.  It was revoked (marked as superseded) on
> $date.  I continue to use the same key material in a different certificate."

If the law in your jurisdiction recognizes such and the court has
precedent to lean upon, this argument will fly.

Speaking just for myself, I have no desire to be the first person to
make such an argument.  The instant you re-use key material, it opens
the door to someone saying, "Your Honor, the existing precedent doesn't
apply.  He's still using the same certificate!"  And now you're
depending on a judge having better technical acumen than many of the
people on this mailing list.  Ultimately, it will reduce to a battle of
the dueling expert opinions.

> And if addressing a hopelessly legally-minded audience in the USA, you
> could add: "of course i didn't make that signature; it uses
> $deprecated_algorithm, which i haven't used since NIST deprecated it
> back in 2010."

"You made it with that signature because you wanted to be able to
repudiate it later.  You're trying to deceive the Court."

On the one hand, what you say is perfectly reasonable.  On the other
hand, so is what I say.

>> Remember, in the eyes of the U.S. federal
>> court system, MD5 is considered a strong hash with no known attacks
>> against it.
> 
> Could you cite a reference for this?

_Sanders v. State_, 191 S.W.3d 272 (Tex. App. - Waco 2006) (cert. denied
549 U.S. 1167, 127 S.Ct. 1141, 166 L.Ed.2d 893)(2007)

_State v. Morris_, 2005 WL 356801 (Ohio App. 9 Dist. Feb 16, 2005).

_State v. Cook_, 777 N.E.2d 882, 886 (Ohio App. 2002), including the
money quote "In the present case, there is no doubt that the mirror
image was an authentic copy of what was present on the computer's hard
drive" -- the hard drive was imaged using EnCase, and MD5 was used to
ensure the accuracy of the data.

Also, check the Federal Rules of Evidence.  You may also want to read
_Daubert v. Merrell Dow Pharmaceuticals_.

> There are lots of attacks that can be used against a clueless judiciary,

Yes.  Which is why we don't create more of them without good cause.
There's a difference between saying, "we have to play Russian Roulette,"
and, "let's put another few rounds in the cylinder first."

> Except that you've now broken entirely with the past, which is itself a
> human factor.  Smooth migration, phased upgrades, and planned
> transitions are all good things from a human factors perspective.

If your migration path can't accommodate a planned, scheduled change of
key material, it is quite likely you're doing it wrong.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101209/110015f9/attachment-0001.bin>