Re: wikileaks certs, ICANN, DNS, and DANE. using ldap to parallel a DANE zone from Henry Story on 2011-04-21 (public-xg-webid@w3.org from April 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 21 Apr 2011 10:54:16 +0200
To: peter williams <home_pw@msn.com>
Cc: <public-xg-webid@w3.org>
Message-Id: <8EDBF00A-E3F8-4754-9C73-1F19F4850BD3@bblfish.net>

On 21 Apr 2011, at 02:53, peter williams wrote:

> “Both of these technologies should help bring about  an increasingly secure Web, whilst avoiding the dystopia of excessive centralization” says the bard in the paper.
>  
> DANE centralizes – in DNS. Just like ICANN centralized naming authority (in some US commerce committee, which holds special power over ICANN), and the top level roots are centralized (in VeriSign/NetworkSolutions, on the territory of the USA).

It is not as centralised as it appears, as I argues a few weeks ago on this list in the thread "Certificate Authorities under increasing spotlight"

http://lists.w3.org/Archives/Public/public-xg-webid/2011Mar/0126.html

So on that view DNSsec is as (de)centralised as CAs.

But I'll add a twist to the paper.

> You cannot have it both ways. Stuffing a self-signed cert is de-centralized; but if you counter-sign it using a zone-delegation system that is hierarchical, its STILL centralized. No amount of spin will change this reality, to engineers interested in survivability and resilience, etc.
>  
> Remember, a huge amount of work went on to DECOUPLE certs from name servers (otherwise we could have had a signed directory response do what DANE does… about 25 years ago).
>  
> One of the nice things about DANE, though, is that it legitimizes ldaps. If the logic of DANE makes it fine for a DNS zone authority to counter-sign a self-signed cert for a “domain-cert_, its equally legitimate for an ldap authority under a self-appointed zone (dc=com, dc=us -  run by someone called “peter”) to also store a self-signed cert – named identically to the domain-name used by DANE for the same self-signed cert, in the public DNS tree. Then,  one lets the SSL cert(s) of the ldaps endpoint(s) speak as a counter-signature (just as does a DNSSec signature that chains up hierarchically to a top-level zone controlled CENTRALLY, by US vendors by and large).
>  
> Did I say wikileaks, yet , this week? How quickly we forget, how the tentacles of control work through the naming and DNS system – something that did NOT impact the wikileaks SSL certs (note).
>  
>  
>  
>  

Social Web Architect
http://bblfish.net/

Received on Thursday, 21 April 2011 08:54:47 UTC