- From: peter williams <home_pw@msn.com>
- Date: Thu, 24 Mar 2011 10:28:09 -0700
- To: "'Henry Story'" <henry.story@bblfish.net>, "'WebID XG'" <public-xg-webid@w3.org>
Nothing in DANE fixes the problem. It just shunts it around, with some other vendor hoping to capture some control over the key management infrastructure. For some reason, some folks believe that a DANE-enhanced DNS now wielding Thor's mighty hammer, will fix the non-problem. PKI hierarchies were evil, but hierarchical DNS signed zones are not...somehow. Since we have an open'ish society benefiting from linked data, anyone can form a chain of trust point, expressed as certified pubkeys. All such chains of certs/keys are equal. This is what I worked for, knowing that it was an ideal. I know perfectly well that each national area of the web superimposes national policies, coverty or not. Its cryptopolitics as normal, and there is no point being an absolutist in this topic area. By having a compromise attitude, we have got a long way from the crypto-suppressions of the early 90s, and avoided starting a crypto war. Formally, no one chain of certs in cert graph space is any more authoritative than any other - until a validator imposes a logic defining a rule for what is considered valid. Commonly, browser vendors impose a validity model, using theories of trust anchors in their implementation cert stores. Different models/builds/configurations of browsers can apply different validity models, often enabling the "requirements" of national governments. (Often, these govts act though regulated ISPs, or DNS providers, and CAs). In windows, an https client will always first observe the "government's" trust model on server certs - defined as the trust model found in civil society - the "web" as we here probably define it. It then invites a client app builder to override that opinion, being an open programming platform (still). In some circles, folks don't like this availability of this option (it allows terrorists and subversives... etc etc), but windows APIs allows the app to accept the cert, even the civil society recommended against (assuming it was even allowed to be visible). Obviously, the openness works the other way around too: since now what is valid under the default regime can be invalid/blocked under another, given a [mandatory] plugin or browser config. It's all subjective. As the world of encryption is ultimately the debate on spying, this was as good as we could do. It's better than the cold war era...is all I can really claim. The debate is civil, and ongoing. It will probably never stop... and neither DANE nor webid will magically sort it out. -----Original Message----- From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story Sent: Thursday, March 24, 2011 5:10 AM To: WebID XG Subject: Certificate Authorities under increasing spotlight CNET has a long article "Hackers exploit chink in Web's armor" http://news.cnet.com/8301-31921_3-20046588-281.html and I have seen this story gaining very wide media acceptance. If you look carefully you will see how DANE (if they don't mess it up) and DNSsec are going to form the first round of solutions to this problem. There are never final solutions in security space, and that is why I mention this as the first round. These solutions put states at the center of trust. Even though governments are not a perfect, they are a lot more accountable in democratically elected countries, and their sphere of influence as well as the rules of intergovernmental action have been more and more clearly defined since the second world war. So a .ch domain will tell you that the company or individual you are connecting to is accountable to Swiss legislation, a .us to the legislation of the USA. So if you are communicating with wellsfargo.com the legislation will be US based you will know that the connection is as good as US security, and won't depend on the weakness of the weakest link globally - which is to no link at all. Anyway, it is clear from these articles that DNSsec and Dane solve the first round of problem. Henry Social Web Architect http://bblfish.net/
Received on Thursday, 24 March 2011 17:28:43 UTC