RE: Certificate Authorities under increasing spotlight


-----Original Message-----
From: []
On Behalf Of Henry Story
Sent: Thursday, March 24, 2011 10:55 AM
To: peter williams
Cc: 'WebID XG'
Subject: Re: Certificate Authorities under increasing spotlight



On 24 Mar 2011, at 18:28, peter williams wrote:

> Nothing in DANE fixes the problem. It just shunts it around, with some 

> other vendor hoping to capture some control over the key management 

> infrastructure. For some reason, some folks believe that a 

> DANE-enhanced DNS now wielding Thor's mighty hammer, will fix the 

> non-problem. PKI hierarchies were evil, but hierarchical DNS signed zones
are not...somehow.


They are a lot less problematic for the reasons explained in the CNET

For one the US banks and large companies will feel a lot more comfortable
knowing that their security is not in the hands of the enemies of the US.


Do explain why. I found no supporting argument in the CNET article - it was
journalist grade reasoning, and not his best either. So far, I've heard a
national security argument, not a civilian argument. One is militarizing the
web, with that argument; and one must expect China to respond in kind. It's
only fair to 1.5 billion people, there, and the 2,500 computer engineers who
graduated, just yesterday (and today, and tomorrow, and next Tuesday, and


Explain why you think that the root keys for the DNS zone or RR signing, and
the inevitable signing of delegated signing powers to zone providers in
national and corporate jurisdictions, will be any different a political
landscape to the world of root keys managed by cert stores in browser-land,
in EV land, in Authenticode-land, in java jar signing land, etc. Why will
e-commerce be saved , when one swaps bit bucket? Doesn't civilian openness
require it all be pretty low-assurance, and at best medium assurance if one
spends an additional $1 a year bothering to confirm some facts? What 15
years taught me, is that is REALLY TOUGH to get anyone to spend even $1 a


Surely, the root keys for DNS zone and RR signing will just be in the root
hint file in each PC, which is semantically just the same as the file
holding the trust anchors for certs. That file, and its own distribution,
aiuthenticity, control and local extensibility .is still the crux of the


Now, I have an argument that I find convincing - but then I'm just
convincing myself, which is not very impressive rhetoric. But, it comes down
to a webid premise (and web premise). For, Im able to accommodate the vision
you advocate; as it's an enabler. Assuming that from DANE/DNSsec trust the
trust in a billion webid foaf files is booted (being served from a now
publicly trusted endpoints), one also has the ability to distribute
javascript - delivering interpreted crypto code (programmed one of those
15000 computer engineers who graduated LAST WEEK, based on new math
developed by one of the 1000 math graduates from the same week's graduation
class). Thus one layer - all controlling and locked down for high-assurance
to serve the large US banks outreach to consumers who have similar high
assurance tokens to consume e-gov services - merely boots another crypto
layer for individuals. It's the nature of a Turing machine, that one machine
begets another.


Need to be careful when starting a cyberwar - using nationalistic arguments.
Cyber is about people, and like most war, it comes down to numbers of boots
on the ground (or eyes on screens).

Received on Thursday, 24 March 2011 19:23:40 UTC