[Freedombox-discuss] TLS handshake client credential/identity exposure

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 10 19:07:37 UTC 2013

On 01/10/2013 12:57 PM, Michael Rogers wrote:
> It does! Is that what Tor does to avoid being blocked? Or does Tor
> just rely on self-signed certs being common enough to avoid attracting
> attention?

Hm, i don't know enough about Tor to answer.  I wouldn't have even
guessed that Tor would use client-side certificates.  does it really?  I
would have thought that tor's emphasis on user anonymity would want to
avoid that sort of thing.

> In that case, could the certs be formatted like ordinary self-signed
> X.509 certs? Or is it not possible to generate the appropriate
> self-signature using a PGP key?

Sure, they could be formatted like ordinary self-signed X.509
certificates, but there still needs to be enough of a clue in the
certificate for the peer to be able to find the associated OpenPGP key.
 If the clue is there, then an adversary could use the clue to look up
the OpenPGP key in the same way as the peer, so it's not much of a
protection, unless there is some sort of private keystore already shared
by the peers.

Maintaining a private keystore, and doing revocation and rekeying with
such a system is an interesting challenge, but it is not nearly as
simple as using the existing global keyserver network.  I consider the
ability to revoke and rekey a pretty important feature.

the leak of the client credential to an eavesdropper seems like the
problem to solve; i don't think trying to make the client certificate
somehow more challenging to interpret is going to provide the
confidentiality you'd want.  If you use the double-handshake approach,
it doesn't matter what the client certificate looks like, since it will
only be seen by the legitimate peer.

Given the above, i think facilitating the lookup by having an explicit
indicator is preferable.

But i'm happy to hear counterarguments, and to get patches to
openpgp2x509 that enable it to create a "normal" self-signed X.509
certificate too.

Thanks for the thoughtful discussion,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130110/52b62637/attachment.pgp>

More information about the Freedombox-discuss mailing list