Re: Certificate Authorities under increasing spotlight

On 24 Mar 2011, at 20:23, peter williams wrote:

> -----Original Message-----
> From: [] On Behalf Of Henry Story
> Sent: Thursday, March 24, 2011 10:55 AM
> To: peter williams
> Cc: 'WebID XG'
> Subject: Re: Certificate Authorities under increasing spotlight
> On 24 Mar 2011, at 18:28, peter williams wrote:
> > Nothing in DANE fixes the problem. It just shunts it around, with some
> > other vendor hoping to capture some control over the key management
> > infrastructure. For some reason, some folks believe that a
> > DANE-enhanced DNS now wielding Thor's mighty hammer, will fix the
> > non-problem. PKI hierarchies were evil, but hierarchical DNS signed zones are not...somehow.
> They are a lot less problematic for the reasons explained in the CNET article.
> For one the US banks and large companies will feel a lot more comfortable knowing that their security is not in the hands of the enemies of the US.
> Do explain why. I found no supporting argument in the CNET article - it was journalist grade reasoning, and not his best either. So far, Ive heard a national security argument, not a civilian argument. One is militarizing the web, with that argument; and one must expect China to respond in kind. Its only fair to 1.5 billion people, there, and the 2,500 computer engineers who graduated, just yesterday (and today, and tomorrow, and next Tuesday, and ).

The argument was very clear and proceeds in 2 points:

 1. currently any CA in the world that is in a browser can use their root key to create fake certificates for any domain in the world. So a few universities in Germany can create fake Bank of America certificates.

 2. DNSsec with Dane will reduce that simply because it creates responsibilities that are correctly aligned with interests of the real world actors: states. The .us domain will be controlled by the us, and the .uk domain by the uk. German universities will no longer be able to create fake certificates for bank of america.

The journalism is very good: it has made a complex issue understandable. For anyone with an understanding of Realpolitik the logic is very clear.

> Explain why you think that the root keys for the DNS zone

I don't see root keys as a necessary part of DNSsec. They just make it easier to get it started. DNSsec can work, and until last year has worked without. This is a bootstrapping issue.

> or RR signing, and the inevitable signing of delegated signing powers to zone providers in national and corporate jurisdictions, will be any different a political landscape to the world of root keys managed by cert stores in browser-land, in EV land, in Authenticode-land, in java jar signing land, etc. Why will e-commerce be saved , when one swaps bit bucket?

Why this notion of "saving"? Why the drama?
Security as said before is not a one strike solution. If you are looking for that you will be decieved. But  there are things that are clearly improvements.

And to your questions the answer is yes. Of course it is going to be better if China can't sign certificates for the Bank of America anymore.

> Doesnt civilian openness require it all be pretty low-assurance, and at best medium assurance if one spends an additional $1 a year bothering to confirm some facts? What 15 years taught me, is that is REALLY TOUGH to get anyone to spend even $1 a month.
> Surely, the root keys for DNS zone and RR signing will just be in the root hint file in each PC, which is semantically just the same as the file holding the trust anchors for certs. That file, and its own distribution, aiuthenticity, control and local extensibility is still the crux of the matter.

yes, it does not solve all the problems...

> Now, I have an argument that I find convincing  but then Im just convincing myself, which is not very impressive rhetoric. But, it comes down to a webid premise (and web premise). For, Im able to accommodate the vision you advocate; as its an enabler.


> Assuming that from DANE/DNSsec trust the trust in a billion webid foaf files is booted (being served from a now publicly trusted endpoints),

yes, that's it. It helps us a lot to boot security. It means browser vendors will be on board for reasons that have nothing to do with our group which they will be more likely to ignore.

> one also has the ability to distribute javascript

Sorry, you loose me when you speak of javascript in the cert... Is it that you think Web people like javascript, so if you powder something with javascript it will be webby? That is to look for the web in the wrong place. Look at Roy Fieldings thesis on REST please.

>  delivering interpreted crypto code (programmed one of those 15000 computer engineers who graduated LAST WEEK, based on new math developed by one of the 1000 math graduates from the same weeks graduation class). Thus one layer  all controlling and locked down for high-assurance to serve the large US banks outreach to consumers who have similar high assurance tokens to consume e-gov services - merely boots another crypto layer for individuals. Its the nature of a Turing machine, that one machine begets another.
> Need to be careful when starting a cyberwar  using nationalistic arguments. Cyber is about people, and like most war, it comes down to numbers of boots on the ground (or eyes on screens).

Social Web Architect

Received on Thursday, 24 March 2011 19:52:08 UTC