- From: peter williams <home_pw@msn.com>
- Date: Thu, 24 Mar 2011 13:56:24 -0700
- To: "'Henry Story'" <henry.story@bblfish.net>
- CC: "'WebID XG'" <public-xg-webid@w3.org>
- Message-ID: <SNT143-ds163C3D495C65AA0180EE4392B60@phx.gbl>
Ok. So the real policy issue is - ignoring a swap of bit bucket - that the name scoping rules within X.509 certs (signed keys) should be turned on and polished up globally - since they are rarely turned on or leveraged, outside military user groups. Then, a CA cannot act outside the name scope of its parent cert or its root registration record, without detection of that scoping violation by operational agents (browsers). The root authority sets/enforces the scope, by issuing signed scopes known as CA certs and cross-certs. (SAML does the same thing essentially, using signed XML metadata that again sets the audience limits of IDP agents, to govern the assertion rewriting world) For example, only Germany, France and UK can issue .com certs, with US being banned. Huh? Is that going to fly? For hierarchical names (*.ac.uk, *.uk, *.us, *.ca.us) this is all in the IETF X/509/PKIX standard and in Windows, awaiting community decision to turn on the controls. It's politically fraught (since now 1000 CAs apparently will all whine about their rights, and lost freedoms, and who know what else). But, it's not a technological issue. Its politics, where it belongs. Use DNS scopes, SAML scopes, or X.509 scopes, the politics is the same: vendor compliance of the security standard, correct enforcement of the control plane, authority recognition by CAs, and will to be governed by another (a policy authority) in a trans-national world. You can just hear Gilmore now: I will never be ruled by the US government policy authority. You can just hear the US military: the worldwide root will be on US soil, run by highly trusted intelligence officer soldier like Manning. You can hgear the FBI, all roots will chain to us, so we have "forensic integrity." In France, we will never accept a British root; or any cert using English names. In NATO, we need to reissue everyone a new cert, in parallel, since we are all transnational. In Canada, we think there should be no roots, only cross-cert meshes at the top layer so everyone gets along. In Thailand, we think all Postal office should be the CA. In Bahrain, only certs for Sunnis; the other groups clean our bathrooms and don't need certs to skivvy! In California, we won't accept a US GSA signing authority, as we want to sign marriage license for gay folks (and the GSA cert wont allow that use). In Georgia, we refuse to legally recognize the certs from Maryland, as they wont accept our notarial documents.in court cases. In the windows world, this can be sorted in 1 week. It can be done globally in a week with windows update to distributed the revised signed root list (this is how long it took to populate globally the revoked authorities during a certain, infamous VeriSign compromise of Authenticode). It's all waiting there, seeking community will to exploit the control plane of certs (which are largely equivalent to the control plane proposed by DNS types) One can use the basic constraints extension in CA certs, while we are at it. This limits a CA powers to enable additional CAs Any takers? Good luck! It's interesting that self-assertions and self-signed certs for webid, the nice individual, decentralized webby world of self-managed foaf cards has rapidly turned to policy on roots. But, then, it always does. (for javascript coding DES/RSA, say, I meant simply serve the foo.js from an https server populated with a high-assurance govt server cert) - which speaks for its integrity. If two servers share foo.js and foo1.js with each other, one simply implements a "next layer up" SSL message exchange using the javascript., free of policy controls like CA name scopes, etc. From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story Sent: Thursday, March 24, 2011 12:51 PM To: peter williams Cc: 'WebID XG' Subject: Re: Certificate Authorities under increasing spotlight On 24 Mar 2011, at 20:23, peter williams wrote: -----Original Message----- From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story Sent: Thursday, March 24, 2011 10:55 AM To: peter williams Cc: 'WebID XG' Subject: Re: Certificate Authorities under increasing spotlight On 24 Mar 2011, at 18:28, peter williams wrote: > Nothing in DANE fixes the problem. It just shunts it around, with some > other vendor hoping to capture some control over the key management > infrastructure. For some reason, some folks believe that a > DANE-enhanced DNS now wielding Thor's mighty hammer, will fix the > non-problem. PKI hierarchies were evil, but hierarchical DNS signed zones are not...somehow. They are a lot less problematic for the reasons explained in the CNET article. For one the US banks and large companies will feel a lot more comfortable knowing that their security is not in the hands of the enemies of the US. Do explain why. I found no supporting argument in the CNET article - it was journalist grade reasoning, and not his best either. So far, I've heard a national security argument, not a civilian argument. One is militarizing the web, with that argument; and one must expect China to respond in kind. It's only fair to 1.5 billion people, there, and the 2,500 computer engineers who graduated, just yesterday (and today, and tomorrow, and next Tuesday, and .). The argument was very clear and proceeds in 2 points: 1. currently any CA in the world that is in a browser can use their root key to create fake certificates for any domain in the world. So a few universities in Germany can create fake Bank of America certificates. 2. DNSsec with Dane will reduce that simply because it creates responsibilities that are correctly aligned with interests of the real world actors: states. The .us domain will be controlled by the us, and the .uk domain by the uk. German universities will no longer be able to create fake certificates for bank of america. The journalism is very good: it has made a complex issue understandable. For anyone with an understanding of Realpolitik the logic is very clear. Explain why you think that the root keys for the DNS zone I don't see root keys as a necessary part of DNSsec. They just make it easier to get it started. DNSsec can work, and until last year has worked without. This is a bootstrapping issue. or RR signing, and the inevitable signing of delegated signing powers to zone providers in national and corporate jurisdictions, will be any different a political landscape to the world of root keys managed by cert stores in browser-land, in EV land, in Authenticode-land, in java jar signing land, etc. Why will e-commerce be saved , when one swaps bit bucket? Why this notion of "saving"? Why the drama? Security as said before is not a one strike solution. If you are looking for that you will be decieved. But there are things that are clearly improvements. And to your questions the answer is yes. Of course it is going to be better if China can't sign certificates for the Bank of America anymore. Doesn't civilian openness require it all be pretty low-assurance, and at best medium assurance if one spends an additional $1 a year bothering to confirm some facts? What 15 years taught me, is that is REALLY TOUGH to get anyone to spend even $1 a month. Surely, the root keys for DNS zone and RR signing will just be in the root hint file in each PC, which is semantically just the same as the file holding the trust anchors for certs. That file, and its own distribution, aiuthenticity, control and local extensibility .is still the crux of the matter. yes, it does not solve all the problems... Now, I have an argument that I find convincing - but then I'm just convincing myself, which is not very impressive rhetoric. But, it comes down to a webid premise (and web premise). For, Im able to accommodate the vision you advocate; as it's an enabler. ok. Assuming that from DANE/DNSsec trust the trust in a billion webid foaf files is booted (being served from a now publicly trusted endpoints), yes, that's it. It helps us a lot to boot security. It means browser vendors will be on board for reasons that have nothing to do with our group which they will be more likely to ignore. one also has the ability to distribute javascript Sorry, you loose me when you speak of javascript in the cert... Is it that you think Web people like javascript, so if you powder something with javascript it will be webby? That is to look for the web in the wrong place. Look at Roy Fieldings thesis on REST please. - delivering interpreted crypto code (programmed one of those 15000 computer engineers who graduated LAST WEEK, based on new math developed by one of the 1000 math graduates from the same week's graduation class). Thus one layer - all controlling and locked down for high-assurance to serve the large US banks outreach to consumers who have similar high assurance tokens to consume e-gov services - merely boots another crypto layer for individuals. It's the nature of a Turing machine, that one machine begets another. Need to be careful when starting a cyberwar - using nationalistic arguments. Cyber is about people, and like most war, it comes down to numbers of boots on the ground (or eyes on screens). Social Web Architect http://bblfish.net/
Received on Thursday, 24 March 2011 20:57:03 UTC