W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

Re: Certificate Authorities under increasing spotlight

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 24 Mar 2011 18:55:09 +0100
Cc: "'WebID XG'" <public-xg-webid@w3.org>
Message-Id: <175D23B2-6450-47CB-8E59-0296C333B845@bblfish.net>
To: peter williams <home_pw@msn.com>

On 24 Mar 2011, at 18:28, peter williams wrote:
> Nothing in DANE fixes the problem. It just shunts it around, with some other
> vendor hoping to capture some control over the key management
> infrastructure. For some reason, some folks believe that a DANE-enhanced DNS
> now wielding Thor's mighty hammer, will fix the non-problem. PKI hierarchies
> were evil, but hierarchical DNS signed zones are not...somehow. 

They are a lot less problematic for the reasons explained in the CNET article.
For one the US banks and large companies will feel a lot more comfortable knowing
that their security is not in the hands of the enemies of the US.

The US government I hope you realise is a very very large actor, and so are all the other
governments. So my guess is that they will force this through whether you like it or 
not. And as it happens it's better than what we have, a lesser evil, which is what 
politics is about. I quote you

"The purpose of politics is to make an ever growing number of people believe,
in something half good. Typically, the halfness changes, as the politics
evolves."


> 
> Since we have an open'ish society benefiting from linked data, anyone can
> form a chain of trust point, expressed as certified pubkeys. All such chains
> of certs/keys are equal. This is what I worked for, knowing that it was an
> ideal. I know perfectly well that each national area of the web superimposes
> national policies, coverty or not.

Indeed this is an issue of national politics, and in those states have of course
a leading role. Those are the ones that define most of the top level domains as it happens.

The linked data web of trust can build on top and alongside the DNSsec based hierarchy of trust.
They are not incompatible.

> Its cryptopolitics as normal, and there
> is no point being an absolutist in this topic area. By having a compromise
> attitude, we have got a long way from the crypto-suppressions of the early
> 90s, and avoided starting a crypto war.

Good. No need for absolutism. Dane and DNSsec are not "evil" they are another
piece to help increase security. Another defense.   

> 
> Formally, no one chain of certs in cert graph space is any more
> authoritative than any other - until a validator imposes a logic defining a
> rule for what is considered valid. Commonly, browser vendors impose a
> validity model, using theories of trust anchors in their implementation cert
> stores. Different models/builds/configurations of browsers can apply
> different validity models, often enabling the "requirements" of national
> governments. (Often, these govts act though regulated ISPs, or DNS
> providers, and CAs).

As the article points out, the national governements do not have a 
way of controlling the CA based certs. And in fact nobody does, which
is why the whole trust system is breaking down. The weakest link in the chain
sets the strength of trust in the whole system. 

It's amazing it lasted this long.

> 
> In windows, an https client will always first observe the "government's"
> trust model on server certs - defined as the trust model found in civil
> society - the "web" as we here probably define it. It then invites a client
> app builder to override that opinion, being an open programming platform
> (still). In some circles, folks don't like this availability of this option
> (it allows terrorists and subversives... etc etc), but windows APIs allows
> the app to accept the cert, even the civil society recommended against
> (assuming it was even allowed to be visible).
> 
> Obviously, the openness works the other way around too: since now what is
> valid under the default regime can be invalid/blocked under another, given a
> [mandatory] plugin or browser config. 
> 
> It's all subjective.

It is not because something is subjective that it is without rules, that it lacks
criteria of evaluation.

> As the world of encryption is ultimately the debate on
> spying, this was as good as we could do. It's better than the cold war
> era...is all I can really claim. The debate is civil, and ongoing. It will
> probably never stop... and neither DANE nor webid will magically sort it
> out.

Indeed nothing magically sorts out a security problem. Like knowledge there are
no bounds. But there is better and worse, more or less powerful knowledge.
DNSsec is clearly improving things as I think that article shows quite clearly.

And what is especially clear to me is that some very large forces are ligning up
behind this, because very important interests here are at stake: the whole ecommerce
system for one.

As it happens, we can ride along happily with this evolution. 



> 
> 
> -----Original Message-----
> From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
> On Behalf Of Henry Story
> Sent: Thursday, March 24, 2011 5:10 AM
> To: WebID XG
> Subject: Certificate Authorities under increasing spotlight
> 
> CNET has a long article "Hackers exploit chink in Web's armor"
> 
> http://news.cnet.com/8301-31921_3-20046588-281.html
> 
> and I have seen this story gaining very wide media acceptance.
> 
> If you look carefully you will see how DANE (if they don't mess it up) and
> DNSsec are going to form the first round of solutions to this problem.
> There are never final solutions in security space, and that is why I mention
> this as the first round. These solutions put states at the center of trust.
> 
> Even though governments are not a perfect, they are a lot more accountable
> in democratically elected countries, and their sphere of influence as well
> as the rules of intergovernmental action have been more and more clearly
> defined since the second world war.
> 
> So a .ch domain will tell you that the company or individual you are
> connecting to is accountable to Swiss legislation, a .us to the legislation
> of the USA. So if you are communicating with wellsfargo.com the legislation
> will be US based you will know that the connection is as good as US
> security, and won't depend on the weakness of the weakest link globally -
> which is to no link at all.
> 
>  Anyway, it is clear from these articles that DNSsec and Dane solve the
> first round of problem. 
> 
> 	Henry
> 
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 24 March 2011 17:55:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 March 2011 17:55:50 GMT