[cabfpub] On the use of misuse - and the necessity to remove it
Moudrick M. Dadashov
md at ssc.lt
Fri Jun 8 09:36:17 UTC 2018
Would it help if we define its antonym e.g. "designed for or capable of
a particular function or use"?
On 2018-06-07 17:32, Ryan Sleevi via Public wrote:
> On Thu, Jun 7, 2018 at 10:24 AM, Geoff Keating <geoffk at apple.com>
>>> On Jun 7, 2018, at 1:40 PM, Ryan Sleevi via Public
>> <public at cabforum.org> wrote:
>>> In the pursuit of a definition, we tried to work backwards - what
>> are situations we think are misuse.
>> The dictionary definition of ‘misuse’ is:
>> use (something) in the wrong way or for the wrong purpose
> I'm not sure how this helps us move forward - were you suggesting that
> 220.127.116.11 would read:
> 4. The CA obtains evidence that the Certificate was used for the wrong
> way or for the wrong purpose;
> With such a definition, this supposes there's a right way or right
> 1) Do you believe the right purpose is wholly reflecting in the
> 2) Do you believe the right way is wholly reflected in the definition
> I provided (from 1.1), that the right way is "used for authenticating
> servers accessible through the Internet"
>>> Another suggestion was that it involved scenarios where the
>> Subscriber private key was in an HSM, and itself was not
>> compromised, but had signed things it was not expected to. This
>> wasn't elaborated on further - so I'm uncertain if this meant things
>> other than the TLS handshake transcript - but this is already met by
>> our definition of Key Compromise in 1.6.1, that is:
>>> ""A Private Key is said to be compromised if its value has been
>> disclosed to an
>>> unauthorized person, an unauthorized person has had access
>> to it, or there exists a
>>> practical technique by which an unauthorized person may
>> discover its value. “""
>> If a key is in a HSM and not exportable, then its value is not
>> disclosed, nor does an unauthorized person have access *to the
>> key*. Dictionary definition of ‘access’ is 'obtain, examine,
>> or retrieve’ none of which apply here. So it is not covered by
>> Key Compromise.
> I'm not sure - what are you providing an example of? I would think
> that, say, generating a signed message that was not authorized, then
> "an unauthorized person has access to it". Perhaps you could help me
> understand this misuse - is it that the signature was authorized and
> was directed to sign something that they didn't want to do?
> Public mailing list
> Public at cabforum.org
More information about the Public