W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

RE: Certificate Authorities under increasing spotlight

From: peter williams <home_pw@msn.com>
Date: Thu, 24 Mar 2011 13:56:24 -0700
Message-ID: <SNT143-ds163C3D495C65AA0180EE4392B60@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>
CC: "'WebID XG'" <public-xg-webid@w3.org>
Ok. So the real policy issue is - ignoring a swap of bit bucket - that the
name scoping rules within X.509 certs (signed keys) should be turned on and
polished up globally - since they are rarely turned on or leveraged, outside
military user groups. Then, a CA cannot act outside the name scope of its
parent cert or its root registration record, without detection of that
scoping violation by operational agents (browsers). The root authority
sets/enforces the scope, by issuing signed scopes known as CA certs and
cross-certs. (SAML does the same thing essentially, using signed XML
metadata that again sets the audience limits of IDP agents, to govern the
assertion rewriting world) 


For example, only Germany, France and UK can issue .com certs, with US being


Huh? Is that going to fly?


For hierarchical names (*.ac.uk, *.uk, *.us, *.ca.us) this is all in the
IETF X/509/PKIX standard and in Windows, awaiting community decision to turn
on the controls. It's politically fraught (since now 1000 CAs apparently
will all whine about their rights, and lost freedoms, and who know what
else). But, it's not a technological issue. Its politics, where it belongs.
Use DNS scopes, SAML scopes, or X.509 scopes, the politics is the same:
vendor compliance of the security standard, correct enforcement of the
control plane, authority recognition by CAs, and will to be governed by
another (a policy authority) in a trans-national world. 


You can just hear Gilmore now: I will never be ruled by the US government
policy authority. You can just hear the US military: the worldwide root will
be on US soil, run by highly trusted intelligence officer soldier like
Manning. You can hgear the FBI, all roots will chain to us, so we have
"forensic integrity." In France, we will never accept a British root; or any
cert using English names. In NATO, we need to reissue everyone a new cert,
in parallel, since we are all transnational. In Canada, we think there
should be no roots, only cross-cert meshes at the top layer so everyone gets
along. In Thailand, we think all Postal office should be the CA. In Bahrain,
only certs for Sunnis; the other groups clean our bathrooms and don't need
certs to skivvy! In California, we won't accept a US GSA signing authority,
as we want to sign marriage license for gay folks (and the GSA cert wont
allow that use). In Georgia, we refuse to legally recognize the certs from
Maryland, as they wont accept our notarial documents.in court cases.


In the windows world, this can be sorted in 1 week. It can be done globally
in a week with windows update to distributed the revised signed root list
(this is how long it took to populate globally the revoked authorities
during a certain, infamous VeriSign compromise of Authenticode). It's all
waiting there, seeking community will to exploit the control plane of certs
(which are largely equivalent to the control plane proposed by DNS types)


One can use the basic constraints extension in CA certs, while we are at it.
This limits a CA powers to enable additional CAs


Any takers?  Good luck!


It's interesting that self-assertions and self-signed certs for webid, the
nice individual, decentralized webby world of self-managed foaf cards has
rapidly turned to policy on roots. But, then, it always does.


(for javascript coding DES/RSA, say, I meant simply serve the foo.js from an
https server populated with a high-assurance govt server cert) - which
speaks for its integrity. If two servers share foo.js and foo1.js with each
other, one simply implements a "next layer up" SSL message exchange using
the javascript., free of policy controls like CA name scopes, etc.


From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Thursday, March 24, 2011 12:51 PM
To: peter williams
Cc: 'WebID XG'
Subject: Re: Certificate Authorities under increasing spotlight



On 24 Mar 2011, at 20:23, peter williams wrote:


-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Thursday, March 24, 2011 10:55 AM
To: peter williams
Cc: 'WebID XG'
Subject: Re: Certificate Authorities under increasing spotlight



On 24 Mar 2011, at 18:28, peter williams wrote:

> Nothing in DANE fixes the problem. It just shunts it around, with some

> other vendor hoping to capture some control over the key management

> infrastructure. For some reason, some folks believe that a

> DANE-enhanced DNS now wielding Thor's mighty hammer, will fix the

> non-problem. PKI hierarchies were evil, but hierarchical DNS signed zones
are not...somehow.


They are a lot less problematic for the reasons explained in the CNET

For one the US banks and large companies will feel a lot more comfortable
knowing that their security is not in the hands of the enemies of the US.


Do explain why. I found no supporting argument in the CNET article - it was
journalist grade reasoning, and not his best either. So far, I've heard a
national security argument, not a civilian argument. One is militarizing the
web, with that argument; and one must expect China to respond in kind. It's
only fair to 1.5 billion people, there, and the 2,500 computer engineers who
graduated, just yesterday (and today, and tomorrow, and next Tuesday, and


The argument was very clear and proceeds in 2 points:


 1. currently any CA in the world that is in a browser can use their root
key to create fake certificates for any domain in the world. So a few
universities in Germany can create fake Bank of America certificates.


 2. DNSsec with Dane will reduce that simply because it creates
responsibilities that are correctly aligned with interests of the real world
actors: states. The .us domain will be controlled by the us, and the .uk
domain by the uk. German universities will no longer be able to create fake
certificates for bank of america.


The journalism is very good: it has made a complex issue understandable. For
anyone with an understanding of Realpolitik the logic is very clear.


Explain why you think that the root keys for the DNS zone 


I don't see root keys as a necessary part of DNSsec. They just make it
easier to get it started. DNSsec can work, and until last year has worked
without. This is a bootstrapping issue.

or RR signing, and the inevitable signing of delegated signing powers to
zone providers in national and corporate jurisdictions, will be any
different a political landscape to the world of root keys managed by cert
stores in browser-land, in EV land, in Authenticode-land, in java jar
signing land, etc. Why will e-commerce be saved , when one swaps bit bucket?


Why this notion of "saving"? Why the drama?

Security as said before is not a one strike solution. If you are looking for
that you will be decieved. But  there are things that are clearly


And to your questions the answer is yes. Of course it is going to be better
if China can't sign certificates for the Bank of America anymore.

Doesn't civilian openness require it all be pretty low-assurance, and at
best medium assurance if one spends an additional $1 a year bothering to
confirm some facts? What 15 years taught me, is that is REALLY TOUGH to get
anyone to spend even $1 a month.


Surely, the root keys for DNS zone and RR signing will just be in the root
hint file in each PC, which is semantically just the same as the file
holding the trust anchors for certs. That file, and its own distribution,
aiuthenticity, control and local extensibility .is still the crux of the


yes, it does not solve all the problems...



Now, I have an argument that I find convincing - but then I'm just
convincing myself, which is not very impressive rhetoric. But, it comes down
to a webid premise (and web premise). For, Im able to accommodate the vision
you advocate; as it's an enabler. 



Assuming that from DANE/DNSsec trust the trust in a billion webid foaf files
is booted (being served from a now publicly trusted endpoints), 


yes, that's it. It helps us a lot to boot security. It means browser vendors
will be on board for reasons that have nothing to do with our group which
they will be more likely to ignore.

one also has the ability to distribute javascript 


Sorry, you loose me when you speak of javascript in the cert... Is it that
you think Web people like javascript, so if you powder something with
javascript it will be webby? That is to look for the web in the wrong place.
Look at Roy Fieldings thesis on REST please.


- delivering interpreted crypto code (programmed one of those 15000 computer
engineers who graduated LAST WEEK, based on new math developed by one of the
1000 math graduates from the same week's graduation class). Thus one layer -
all controlling and locked down for high-assurance to serve the large US
banks outreach to consumers who have similar high assurance tokens to
consume e-gov services - merely boots another crypto layer for individuals.
It's the nature of a Turing machine, that one machine begets another.


Need to be careful when starting a cyberwar - using nationalistic arguments.
Cyber is about people, and like most war, it comes down to numbers of boots
on the ground (or eyes on screens).




Social Web Architect

Received on Thursday, 24 March 2011 20:57:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:23 UTC