RE: self-signed certificates in DANE from peter williams on 2011-03-23 (public-xg-webid@w3.org from March 2011)

From: peter williams <home_pw@msn.com>
Date: Wed, 23 Mar 2011 10:49:12 -0700
To: "'WebID XG'" <public-xg-webid@w3.org>
Message-ID: <SNT143-ds8341078A447F256A2EE3B92B70@phx.gbl>

There are more design flaws at a policy level in DANE - if you look at it as
an attempt to redesign https.

Rather than be a specification of a path discovery method (which is entirely
legit), one notes how the document attempts to also be a policy and
compliance vehicle. It starts to mandate that, based on the result of
discovery, TLS client MUST do this, and NOT that. Its using certs
*discovery* to control the SAs, that is.

This is "poor" design, as it fails to distinguish between the validation
steps of path discovery, vs path closure. Using DNS to search out a chain of
certs on a path that meets discovery criteria XYZ, is fine. This cert path
is then returned to the validation agent, asserted to meet the criteria. The
SSL handlers in the resource server then decide how - INDEPENENTLY of the
discovery agent - to enforce the path, given signals WITHIN the cert path or
signals from locally trusted policy stores that add local properties to the
certs in the cert path.

While one can specify a closure process that simply does what a discovery
process tells it do when enforcing chaining policy (non-cert control
properties implied by discovery), this is a deployment option. An SSL RP
needs to be able to deploy several pairs of discovery/closure providers,
with different enforcement and dependency properties between discovery role
and closure role. 

That there is self-signed certs is good. I would not counsel supporting
self-signed certs that are subject to external control logic however. You
don't throw out CAs, to replace their role with DNS. The point about
self-signed certs is that they are self-standing assertions, which several
parties can add reputation - none of which are inherently "controlling"
(unless the validator, so chooses to make one so).



-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Wednesday, March 23, 2011 5:33 AM
To: WebID XG
Subject: self-signed certificates in DANE

Dane has a section now on self-signed certificates

  http://tools.ietf.org/html/draft-ietf-dane-protocol-06#section-2.3

I think it is going in the direction we would like: to make it easy for web
sites to create self signed certs for their services. But I am not sure.

	Henry

Social Web Architect
http://bblfish.net/

Received on Wednesday, 23 March 2011 17:49:45 UTC