This article has not yet been rated on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
Should there be a seperate entry for basic attestation? Should this entry be a sub-part of that entry? Also, I think would it be more accurate to say that DAA is a cryptographic protocol rather than a digital signature scheme.
Personally I feel this article is badly written and contains numerous errors. I suggest a complete rewrite. If I get time I will make the necessary changes. As a note to myself:
I will endeavor to do a rewrite at some point....-- Bah23 17:13, 24 January 2007 (UTC)
It might be reasonable to note that "Interdomain.." paper seems to suggest signing AIKs "by using DAA technique" and platform "sending public part of EK" with Issuer "verifying" TPM using a list of known keys. It seems there are no AIKs with DAA and authentication should be done using private part of EK. Vadymf 12:41, 31 January 2007 (UTC)
I am not convinced that this paper provides a good explanation of DAA.
Prior to transmission to the TP, the signature is encrypted using the public part of the EK; as a result it can only be decrypted by the TPM it is destined for.
Is quite frankly incorrect. The issuer authenticates the TP as follows: On receipt of the bling message U, the issuer creates a nonce n_i encrypts it with the public endorsement key of the TPM and returns the encrypted value. The TP computes hash(U||n_i) and sends it to the issuer. The issuer checks the value is correct and is convinced that it is communicating with a valid TP.
The description of rogue tagging is confusing and quite probably wrong - although I am unable to tell because it doesn't quite make sense... The paper does not distinguish between the zeta value which is used during the Join protocol and the zeta value used during the Sign/Verify protocols. —The preceding unsigned comment was added by Bah23 ( talk • contribs) 13:39, 31 January 2007 (UTC).
idemix should be discussed somewhere in the main body of the text in order to explain its relevance. —The preceding unsigned comment was added by Bah23 ( talk • contribs) 11:12, 6 February 2007 (UTC).
I believe that the claim about anonymity revocation is incorrect. The principle referenced paper by Brickell et. al. states that "... our scheme can be seen as a group signature scheme without the capability to open signatures (or anonymity revocation)...".
This problem is touched on in a separate discussion above, but was not addressed.
Perhaps the author was confusing the notion of anonymity revocation with the blacklisting capability, which exists, but still preserves anonymity.
I'm removing the claim from the article.
Leotohill ( talk) 03:06, 28 June 2009 (UTC)
I would suggest to remove reference to zero knowledge. Challenges are generated at DAA Join and Sign with a hash and not by a Verifier. Zero knowledge requires a simulator that was never introduced for DAA. Choosing a challenge with a hash makes simulator (almost) impossible. A general reference to proofs of knowledge still may be acceptable.
A DAA Verifier colluding with a DAA Issuer can always track DAA Users that have specific credentials issued, as explained in IACR 2008/277 preprint.
Signing keys (like RSA) with DAA may be considered pointless because of easy linking all signatures produced with that keys. In may be advised to sign messages instead. 132.204.53.187 ( talk) 20:17, 30 June 2010 (UTC)
This article has not yet been rated on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
Should there be a seperate entry for basic attestation? Should this entry be a sub-part of that entry? Also, I think would it be more accurate to say that DAA is a cryptographic protocol rather than a digital signature scheme.
Personally I feel this article is badly written and contains numerous errors. I suggest a complete rewrite. If I get time I will make the necessary changes. As a note to myself:
I will endeavor to do a rewrite at some point....-- Bah23 17:13, 24 January 2007 (UTC)
It might be reasonable to note that "Interdomain.." paper seems to suggest signing AIKs "by using DAA technique" and platform "sending public part of EK" with Issuer "verifying" TPM using a list of known keys. It seems there are no AIKs with DAA and authentication should be done using private part of EK. Vadymf 12:41, 31 January 2007 (UTC)
I am not convinced that this paper provides a good explanation of DAA.
Prior to transmission to the TP, the signature is encrypted using the public part of the EK; as a result it can only be decrypted by the TPM it is destined for.
Is quite frankly incorrect. The issuer authenticates the TP as follows: On receipt of the bling message U, the issuer creates a nonce n_i encrypts it with the public endorsement key of the TPM and returns the encrypted value. The TP computes hash(U||n_i) and sends it to the issuer. The issuer checks the value is correct and is convinced that it is communicating with a valid TP.
The description of rogue tagging is confusing and quite probably wrong - although I am unable to tell because it doesn't quite make sense... The paper does not distinguish between the zeta value which is used during the Join protocol and the zeta value used during the Sign/Verify protocols. —The preceding unsigned comment was added by Bah23 ( talk • contribs) 13:39, 31 January 2007 (UTC).
idemix should be discussed somewhere in the main body of the text in order to explain its relevance. —The preceding unsigned comment was added by Bah23 ( talk • contribs) 11:12, 6 February 2007 (UTC).
I believe that the claim about anonymity revocation is incorrect. The principle referenced paper by Brickell et. al. states that "... our scheme can be seen as a group signature scheme without the capability to open signatures (or anonymity revocation)...".
This problem is touched on in a separate discussion above, but was not addressed.
Perhaps the author was confusing the notion of anonymity revocation with the blacklisting capability, which exists, but still preserves anonymity.
I'm removing the claim from the article.
Leotohill ( talk) 03:06, 28 June 2009 (UTC)
I would suggest to remove reference to zero knowledge. Challenges are generated at DAA Join and Sign with a hash and not by a Verifier. Zero knowledge requires a simulator that was never introduced for DAA. Choosing a challenge with a hash makes simulator (almost) impossible. A general reference to proofs of knowledge still may be acceptable.
A DAA Verifier colluding with a DAA Issuer can always track DAA Users that have specific credentials issued, as explained in IACR 2008/277 preprint.
Signing keys (like RSA) with DAA may be considered pointless because of easy linking all signatures produced with that keys. In may be advised to sign messages instead. 132.204.53.187 ( talk) 20:17, 30 June 2010 (UTC)