RE: wikileaks certs, ICANN, DNS, and DANE. using ldap to parallel a DANE zone from peter williams on 2011-04-21 (public-xg-webid@w3.org from April 2011)

From: peter williams <home_pw@msn.com>
Date: Thu, 21 Apr 2011 05:49:53 -0700
To: "'Henry Story'" <henry.story@bblfish.net>
CC: <public-xg-webid@w3.org>
Message-ID: <SNT143-ds17232436C75DAFA670E20992920@phx.gbl>
I don't know why you (and I say you, as I don't know anyone else who argues
for it) ties the brand of webid to DANE. Perhaps there are meetings I don't
know about? One should be aware of lots of political history here, as the
telcos in the ENUM space vie for the same power - using DNS more
intelligently for key management than simple signed RRs. One might want to
understand ENUM, and the issue of private ENUM (the ability to run a walled
garden DNS cache, walled off to assure it against poisoning). Comodo looks
like a fun little company, but is not the heavy weight in the space.

 

Now, I understand the general motive: for a public identifier space, you
want/need the authority field of the URI to be assured, as that underpins
the denotational semantics of the class resolver (given a class name in the
foaf card), and the de-referencing of the resource identifiers to and from
the foaf card. If the endpoint providing the proof of identifier control can
be spoofed, webid is useless. If the resource server uses a cache of triples
for the evidence binding the key to the identifier that is untrusted (or
poisoned), webid is useless. (For useless, perhaps read "unassured",
professionally.) These issues don't get any discussion in the paper (aside
from implying the underlying issues with authority, by reference to DANE).

 

Without giving the game away, state the assurance limits - as assumptions.
Imply that there is a parallel assurance argument, in addition to the
functional benefits based on the protocol.

 

For commodity systems, for low cost, folks will accept quite low assurance
(think real estate) assuming that compensating control system apply to make
up for lack of assurance in information systems (think real estate, where
one *insures* against error in the title record, uses credit reference to
uderping the financial note, and one bases public trust on the notary's
personal identifications.and affadavits). What most matters is resilience,
that is. If the entire MLS web system in the US went down for a week there
would be a lot of whining (before the manual system kicks back in, as
designed, and the trillion dollar cash flow .keeps flowing!). We didn't
allow that economy/flow to become dependent on IT, the internet, or "being
online"- by design. When you are running a system critical to a trillion
dollar cash flow, you *have* to focus as a security engineer on the
assurances - dependencies, resilience, survivability.

 

If we can speak a little to these topics, it will be say something to that
crowd of American identity types (who are probably pre-selected to get them
onboard with the US national id program, which will coordinate such
assurance topics). 

 

 

From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Thursday, April 21, 2011 1:54 AM
To: peter williams
Cc: public-xg-webid@w3.org
Subject: Re: wikileaks certs, ICANN, DNS, and DANE. using ldap to parallel a
DANE zone

 

 

On 21 Apr 2011, at 02:53, peter williams wrote:





"Both of these technologies should help bring about  an increasingly secure
Web, whilst avoiding the dystopia of excessive centralization" says the bard
in the paper.

 

DANE centralizes - in DNS. Just like ICANN centralized naming authority (in
some US commerce committee, which holds special power over ICANN), and the
top level roots are centralized (in VeriSign/NetworkSolutions, on the
territory of the USA).

 

It is not as centralised as it appears, as I argues a few weeks ago on this
list in the thread "Certificate Authorities under increasing spotlight"

 

http://lists.w3.org/Archives/Public/public-xg-webid/2011Mar/0126.html

 

So on that view DNSsec is as (de)centralised as CAs.

 

But I'll add a twist to the paper.





You cannot have it both ways. Stuffing a self-signed cert is de-centralized;
but if you counter-sign it using a zone-delegation system that is
hierarchical, its STILL centralized. No amount of spin will change this
reality, to engineers interested in survivability and resilience, etc.

 

Remember, a huge amount of work went on to DECOUPLE certs from name servers
(otherwise we could have had a signed directory response do what DANE does.
about 25 years ago).

 

One of the nice things about DANE, though, is that it legitimizes ldaps. If
the logic of DANE makes it fine for a DNS zone authority to counter-sign a
self-signed cert for a "domain-cert_, its equally legitimate for an ldap
authority under a self-appointed zone (dc=com, dc=us -  run by someone
called "peter") to also store a self-signed cert - named identically to the
domain-name used by DANE for the same self-signed cert, in the public DNS
tree. Then,  one lets the SSL cert(s) of the ldaps endpoint(s) speak as a
counter-signature (just as does a DNSSec signature that chains up
hierarchically to a top-level zone controlled CENTRALLY, by US vendors by
and large).

 

Did I say wikileaks, yet , this week? How quickly we forget, how the
tentacles of control work through the naming and DNS system - something that
did NOT impact the wikileaks SSL certs (note).

 

 

 

 

 

Social Web Architect
http://bblfish.net/
Received on Thursday, 21 April 2011 12:50:23 UTC