This is the mail archive of the cygwin-talk mailing list for the cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: The statistics of certification authorities


Dave Korn wrote:
 Which would you trust more, a statement from N months ago that a^y mod m
= b, or a statement from 6 years ago that c^y mod m = d ?

Why would how long ago the statement was made have any bearing on its truth or falsity if maths hasn't changed in the mean time?

The mathematics of crypto don't enter into it. Cert expiration is useful because the entities that acquire certificates -- individual humans, corporations, fringe cults, hyperintelligent shades of the colour blue... -- change over time.


Let's continue thinking mathematically about it.

A cert lets us assign a probability and confidence interval to the statement that blob N was signed by entity X. That is, we can imagine a statistical algorithm that takes various facts about the cert, the CA, etc. and comes up with a probability that we can trust that the blob came from the entity it claims to, and a confidence interval for that probability. We can call this our trust statistic.

One of these facts must include how long ago the cert was assigned to entity X, because the chance that entity X has changed in some way which means we can no longer trust blobs claiming to be signed by it increases over time. Our trust statistic is highest at the instant the cert is issued, and declines over time as the chances increase that the entity changes in some way harmful to the trust statistic.

Example: An employee of a company buys a certificate, then later gets fired for some violation of trust within the organization. If we were to learn this fact, it would certainly damage our trust statistic for that cert. We normally will not learn about such things, but we must assume they will happen, so we have to work out some kind of probability that this has happened, which must be an increasing function of time.

A CA makes a decision about the maximum amount of time it is willing to assume that the details about the entity it is certifying do not change, and sets the cert's expiration time accordingly. The certification fee is really a side issue; many CAs charge nothing, directly, as in the case of a large organization that runs an internal CA. Every CA has an incentive to put a lower threshold on the trust statistic, because our trust of the CA is bound up in how much we trust the certs it issues. If it issues 5-year certs, we know the chances that some of them certify things that are no longer true is higher than a CA that only issues 1-year certs. (Assuming a large enough sample size, similar population distributions, etc.)

You are quite free to choose a trust statistic threshold lower than that of the CA. You can decide to trust a blob signed by an "expired" cert.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]