W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

Re: Certificate Authorities under increasing spotlight

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 25 Mar 2011 10:01:56 +0100
Cc: "'WebID XG'" <public-xg-webid@w3.org>
Message-Id: <101ABBCB-0ECF-42B0-B335-8DAE3E04D851@bblfish.net>
To: peter williams <home_pw@msn.com>
It seems that your point it that these changes are fraught with politics therefore it can't happen.  That sounds way too idealistic. How do you think things happen in the real world? After all there is always politics in human affairs. 

One important agent for change is pain. That is increasing constantly, and clearly enough to effect change. Witness:

 1. DNS is broken, and getting worse all the time as Dan Kaminsky showed a few years ago
     -> DNSsec is actually being deployed as a result! The root is signed, .info and .org are in, .com is soon joining.
 2. CAs are not up to the task as they are structured currently, and scandals are hitting the headlines more and more often
     -> Dane is quite an obvious improvement that complements nicely the work of the CAs

  Business and governments need security more and more, so a compromise will be found. And it need not be a bad one.

The other important agent for change is desire. Flattery plays well in that space for example, by increasing people's image of benefits. So let me answer your questions below to show how these are being applied by the pretty savvy crypto community.

On 24 Mar 2011, at 21:56, peter williams wrote:

> Ok. So the real policy issue is – ignoring a swap of bit bucket - that the name scoping rules within X.509 certs (signed keys) should be turned on and polished up globally – since they are rarely turned on or leveraged, outside military user groups. Then, a CA cannot act outside the name scope of its parent cert or its root registration record, without detection of that scoping violation by operational agents (browsers). The root authority sets/enforces the scope, by issuing signed scopes known as CA certs and cross-certs. (SAML does the same thing essentially, using signed XML metadata that again sets the audience limits of IDP agents, to govern the assertion rewriting world)
>  
> For example, only Germany, France and UK can issue .com certs, with US being banned.
>  
> Huh? Is that going to fly?

It has flown very well until now. .com is owned by a US firm. It is going to clearly be a domain run by a US company for a while. They pushed the internet most at first and this is one of their many advantages for having done so. The USA has been pushing the idea of commerce and free enterprise most, and the alliance between commerce and browsers was a very important alliance to move the internet into every household.

Had communism been successful, .com might have been a Soviet domain with a different meaning. :-)

> For hierarchical names (*.ac.uk, *.uk, *.us, *.ca.us) this is all in the IETF X/509/PKIX standard and in Windows, awaiting community decision to turn on the controls. It’s politically fraught (since now 1000 CAs apparently will all whine about their rights, and lost freedoms, and who know what else). But, it’s not a technological issue. Its politics, where it belongs. Use DNS scopes, SAML scopes, or X.509 scopes,

Exactly they would all complain. And that is why Dane and DNSsec are such clever diplomatic moves. The CAs won't play the game of restricting themselves using X509 name constraints, but Dane will get the same effect as required above without needing them to agree. 

Could they stop it? No: the recent security scandals have seen to that. After all Dane is just adding another security layer that can complement CA security. How can CAs complain against more security?

> the politics is the same: vendor compliance of the security standard, correct enforcement of the control plane, authority recognition by CAs, and will to be governed by another (a policy authority) in a trans-national world.
>  
> You can just hear Gilmore now: I will never be ruled by the US government policy authority… You can just hear the US military: the worldwide root will be on US soil, run by highly trusted intelligence officer soldier like Manning. You can hgear the FBI, all roots will chain to us, so we have “forensic integrity.” In France, we will never accept a British root; or any cert using English names. In NATO, we need to reissue everyone a new cert, in parallel, since we are all transnational. In Canada, we think there should be no roots, only cross-cert meshes at the top layer so everyone gets along. In Thailand, we think all Postal office should be the CA. In Bahrain, only certs for Sunnis; the other groups clean our bathrooms and don’t need certs to skivvy! In California, we won’t accept a US GSA signing authority, as we want to sign marriage license for gay folks (and the GSA cert wont allow that use). In Georgia, we refuse to legally recognize the certs from Maryland, as they wont accept our notarial documents…in court cases.

yes, I think you are describing exactly what DNSsec enables. Her Majesty through her government and loyal subjects controls .uk, France  .fr, and so on.

Signing the US root is a way to get the US ego involved. It is very effective force for moving the United States of America, who love to be n.1. 

The Europeans will probably not have that much of a problem with that. Anyone who did could just unchain and get the browsers to place their unsigned root certificate for their domain in the DNS root certificate space. It is difficult to imagine browser vendors fussing over this: how would they defend themselves? They allowed 1000 private owned unaccountable CAs to place their certificates in the browser, but would refuse countries to do the same? Not likely.

>  
> In the windows world, this can be sorted in 1 week. It can be done globally in a week with windows update to distributed the revised signed root list (this is how long it took to populate globally the revoked authorities during a certain, infamous VeriSign compromise of Authenticode). It’s all waiting there, seeking community will to exploit the control plane of certs (which are largely equivalent to the control plane proposed by DNS types)

Yes, CA self scoping is not likely to happen. DNSsec is.

>  
> One can use the basic constraints extension in CA certs, while we are at it. This limits a CA powers to enable additional CAs
>  
> Any takers?  Good luck!

But Dane could solve this nicely without needing CA buy in. Political problem solved with techno politics.

>  It’s interesting that self-assertions and self-signed certs for webid, the nice individual, decentralized webby world of self-managed foaf cards has rapidly turned to policy on roots. But, then, it always does.

I think WebID could do without DNS as I argued in the e-mail recently relating to the FreedomBox.

But we are not just trying to build hypothetical protocols here, but ones that can work immediately and for a large number of people. And since WebID will initially be deployed on infrastructure where CAs play a very important role, and where DNSsec seems to constitute an improvement, it is really important to follow the moves there.

Also as pointed out above, I don't think that DNSsec is centralised. That could very well be seen as a move to help the biggest player endorse it.


>  
> (for javascript coding DES/RSA, say, I meant simply serve the foo.js from an https server populated with a high-assurance govt server cert) – which speaks for its integrity. If two servers share foo.js and foo1.js with each other, one simply implements a “next layer up” SSL message exchange using the javascript…, free of policy controls like CA name scopes, etc.
>  
> From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story
> Sent: Thursday, March 24, 2011 12:51 PM
> To: peter williams
> Cc: 'WebID XG'
> Subject: Re: Certificate Authorities under increasing spotlight
>  
>  
> On 24 Mar 2011, at 20:23, peter williams wrote:
> 
> 
>  
> -----Original Message-----
> From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story
> Sent: Thursday, March 24, 2011 10:55 AM
> To: peter williams
> Cc: 'WebID XG'
> Subject: Re: Certificate Authorities under increasing spotlight
>  
>  
> On 24 Mar 2011, at 18:28, peter williams wrote:
> > Nothing in DANE fixes the problem. It just shunts it around, with some
> > other vendor hoping to capture some control over the key management
> > infrastructure. For some reason, some folks believe that a
> > DANE-enhanced DNS now wielding Thor's mighty hammer, will fix the
> > non-problem. PKI hierarchies were evil, but hierarchical DNS signed zones are not...somehow.
>  
> They are a lot less problematic for the reasons explained in the CNET article.
> For one the US banks and large companies will feel a lot more comfortable knowing that their security is not in the hands of the enemies of the US.
>  
> Do explain why. I found no supporting argument in the CNET article - it was journalist grade reasoning, and not his best either. So far, I’ve heard a national security argument, not a civilian argument. One is militarizing the web, with that argument; and one must expect China to respond in kind. It’s only fair to 1.5 billion people, there, and the 2,500 computer engineers who graduated, just yesterday (and today, and tomorrow, and next Tuesday, and …).
>  
> The argument was very clear and proceeds in 2 points:
>  
>  1. currently any CA in the world that is in a browser can use their root key to create fake certificates for any domain in the world. So a few universities in Germany can create fake Bank of America certificates.
>  
>  2. DNSsec with Dane will reduce that simply because it creates responsibilities that are correctly aligned with interests of the real world actors: states. The .us domain will be controlled by the us, and the .uk domain by the uk. German universities will no longer be able to create fake certificates for bank of america.
>  
> The journalism is very good: it has made a complex issue understandable. For anyone with an understanding of Realpolitik the logic is very clear.
> 
> 
>  
> Explain why you think that the root keys for the DNS zone
>  
> I don't see root keys as a necessary part of DNSsec. They just make it easier to get it started. DNSsec can work, and until last year has worked without. This is a bootstrapping issue.
> 
> 
> or RR signing, and the inevitable signing of delegated signing powers to zone providers in national and corporate jurisdictions, will be any different a political landscape to the world of root keys managed by cert stores in browser-land, in EV land, in Authenticode-land, in java jar signing land, etc. Why will e-commerce be saved , when one swaps bit bucket?
>  
> Why this notion of "saving"? Why the drama?
> Security as said before is not a one strike solution. If you are looking for that you will be decieved. But  there are things that are clearly improvements.
>  
> And to your questions the answer is yes. Of course it is going to be better if China can't sign certificates for the Bank of America anymore.
> 
> 
> Doesn’t civilian openness require it all be pretty low-assurance, and at best medium assurance if one spends an additional $1 a year bothering to confirm some facts? What 15 years taught me, is that is REALLY TOUGH to get anyone to spend even $1 a month.
>  
> Surely, the root keys for DNS zone and RR signing will just be in the root hint file in each PC, which is semantically just the same as the file holding the trust anchors for certs. That file, and its own distribution, aiuthenticity, control and local extensibility …is still the crux of the matter.
>  
> yes, it does not solve all the problems...
>  
>  
> Now, I have an argument that I find convincing – but then I’m just convincing myself, which is not very impressive rhetoric. But, it comes down to a webid premise (and web premise). For, Im able to accommodate the vision you advocate; as it’s an enabler.
>  
> ok.
> 
> 
> Assuming that from DANE/DNSsec trust the trust in a billion webid foaf files is booted (being served from a now publicly trusted endpoints),
>  
> yes, that's it. It helps us a lot to boot security. It means browser vendors will be on board for reasons that have nothing to do with our group which they will be more likely to ignore.
> 
> 
> one also has the ability to distribute javascript
>  
> Sorry, you loose me when you speak of javascript in the cert... Is it that you think Web people like javascript, so if you powder something with javascript it will be webby? That is to look for the web in the wrong place. Look at Roy Fieldings thesis on REST please.
>  
> 
> 
> – delivering interpreted crypto code (programmed one of those 15000 computer engineers who graduated LAST WEEK, based on new math developed by one of the 1000 math graduates from the same week’s graduation class). Thus one layer – all controlling and locked down for high-assurance to serve the large US banks outreach to consumers who have similar high assurance tokens to consume e-gov services - merely boots another crypto layer for individuals. It’s the nature of a Turing machine, that one machine begets another.
>  
> Need to be careful when starting a cyberwar – using nationalistic arguments. Cyber is about people, and like most war, it comes down to numbers of boots on the ground (or eyes on screens).
>  
>  
>  
> Social Web Architect
> http://bblfish.net/
>  

Social Web Architect
http://bblfish.net/
Received on Friday, 25 March 2011 09:02:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 March 2011 09:02:37 GMT