W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

RE: Certificate Authorities under increasing spotlight

From: peter williams <home_pw@msn.com>
Date: Thu, 24 Mar 2011 10:28:09 -0700
Message-ID: <SNT143-ds17FEE9553E346FCCB1F6592B60@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>, "'WebID XG'" <public-xg-webid@w3.org>

Nothing in DANE fixes the problem. It just shunts it around, with some other
vendor hoping to capture some control over the key management
infrastructure. For some reason, some folks believe that a DANE-enhanced DNS
now wielding Thor's mighty hammer, will fix the non-problem. PKI hierarchies
were evil, but hierarchical DNS signed zones are not...somehow. 

Since we have an open'ish society benefiting from linked data, anyone can
form a chain of trust point, expressed as certified pubkeys. All such chains
of certs/keys are equal. This is what I worked for, knowing that it was an
ideal. I know perfectly well that each national area of the web superimposes
national policies, coverty or not. Its cryptopolitics as normal, and there
is no point being an absolutist in this topic area. By having a compromise
attitude, we have got a long way from the crypto-suppressions of the early
90s, and avoided starting a crypto war.

Formally, no one chain of certs in cert graph space is any more
authoritative than any other - until a validator imposes a logic defining a
rule for what is considered valid. Commonly, browser vendors impose a
validity model, using theories of trust anchors in their implementation cert
stores. Different models/builds/configurations of browsers can apply
different validity models, often enabling the "requirements" of national
governments. (Often, these govts act though regulated ISPs, or DNS
providers, and CAs).

In windows, an https client will always first observe the "government's"
trust model on server certs - defined as the trust model found in civil
society - the "web" as we here probably define it. It then invites a client
app builder to override that opinion, being an open programming platform
(still). In some circles, folks don't like this availability of this option
(it allows terrorists and subversives... etc etc), but windows APIs allows
the app to accept the cert, even the civil society recommended against
(assuming it was even allowed to be visible).

Obviously, the openness works the other way around too: since now what is
valid under the default regime can be invalid/blocked under another, given a
[mandatory] plugin or browser config. 

It's all subjective. As the world of encryption is ultimately the debate on
spying, this was as good as we could do. It's better than the cold war
era...is all I can really claim. The debate is civil, and ongoing. It will
probably never stop... and neither DANE nor webid will magically sort it
out.


-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Thursday, March 24, 2011 5:10 AM
To: WebID XG
Subject: Certificate Authorities under increasing spotlight

CNET has a long article "Hackers exploit chink in Web's armor"

http://news.cnet.com/8301-31921_3-20046588-281.html

and I have seen this story gaining very wide media acceptance.

If you look carefully you will see how DANE (if they don't mess it up) and
DNSsec are going to form the first round of solutions to this problem.
There are never final solutions in security space, and that is why I mention
this as the first round. These solutions put states at the center of trust.

Even though governments are not a perfect, they are a lot more accountable
in democratically elected countries, and their sphere of influence as well
as the rules of intergovernmental action have been more and more clearly
defined since the second world war.

So a .ch domain will tell you that the company or individual you are
connecting to is accountable to Swiss legislation, a .us to the legislation
of the USA. So if you are communicating with wellsfargo.com the legislation
will be US based you will know that the connection is as good as US
security, and won't depend on the weakness of the weakest link globally -
which is to no link at all.

  Anyway, it is clear from these articles that DNSsec and Dane solve the
first round of problem. 

	Henry


Social Web Architect
http://bblfish.net/
Received on Thursday, 24 March 2011 17:28:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 March 2011 17:28:44 GMT