key checks

Imran Ghory imranghory at gmail.com
Mon May 23 11:46:01 PDT 2005


On 5/23/05, Brad Fitzpatrick <brad at danga.com> wrote:
> On Mon, 23 May 2005, Imran Ghory wrote:
> 
> > some random ideas about verifying the keys of the id server:
> >
> > 1) The consumer should send (via the user) the fingerprint it holds
> > for the ID server keys, that way the ID server will know (and be able
> > to keep track) if something like DNS poisoning has occured or if a
> > consumer has obtained a dodgy key.
> 
> If DNS poisoning occured, it's the hijacked ID server that'll be getting
> the fingerprint, which means it can do whatever it wants, and I bet
> telling the consumer that it's been owned isn't high on its list.

I'm assuming that DNS poisoning (or proxy attack, or whatever attack
of your choice) is localized and so will affect the consumer's direct
access to the ID server but not the users access. After all if the
attacker can control the ID server the user connects to then it's more
or less game over as the attacker would be able to steal the users
identity anyway.

> The keys change so rarely that I'm counting on this logic:
> 
>   if (check signature with DSA public key from cache) {
>        return GOOD;
>   } else if (check signature with DSA public key, not cached) {
>        return GOOD;

Doesn't that assume that the key coming from the ID server will always be good ?

Also what if a security concious id server wants to have regular
(daily/weekly/monthly) changing keys ?

Imran


More information about the yadis mailing list