- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 22 Dec 2011 15:55:53 +0100
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: Noah Mendelsohn <nrm@arcanedomain.com>, Harry Halpin <hhalpin@ibiblio.org>, "www-tag@w3.org" <www-tag@w3.org>, Philippe Le Hegaret <plh@w3.org>
On 20 Dec 2011, at 15:10, Tim Berners-Lee wrote: > I'd like to concur on the importance if this issue. The TAG should probably track the high level dependencies between these issues, and help bring people together rapidly to help select an initial response .. Maybe longer term new designs on a longer track. > > In the longer term a fairly flexible web of trust infrastructure which can be easily reconfigured as a function of which institutions one tends to trust in different situations and at different times might be appealing. > > Tim > Sent from my portable device. Btw on the WebID XG we had Corella Francisco who is participating in the US based NSTIC ( National Strategy for Trusted Identities in Cyberspace ) join us this summer on our teleconf. Not all technologies solve all problems and one problem WebID does not solve is anonymous client identification ( a bit of a wild attempt to square the circle it seems to me). In any case the technologies that claim to do it, all require it seems strong authentication of the identity provider. So one can then look at the identity providers as themselves working in a web of trust system. If we add Linked Data to this web of trust then we can turn it into a World Wide Web of Trust, even when using old traditional CA certificates! The trick is to do the same thing the WebID XG is doing to the subject alternative names of those certificates ( see the spec http://webid.info/spec ) but to the Isuser Alternative Names. Anyway I detailed that out here http://lists.w3.org/Archives/Public/public-xg-webid/2011Aug/0017.html So one could imagine that companies for example trusting banks because their government had put up a list of acceptable banks businesses on its territory can work with, identified with WebIDs. There is a lot to explore here... Henry > > On Dec 20, 2011, at 3:32, Noah Mendelsohn <nrm@arcanedomain.com> wrote: > >> Thank you to both Henry and Harry. >> >> FWIW: these are IMO indeed crucial issues for the health of the Web, and I will schedule discussion with the rest of the TAG in the near future. Obviously, we'll have to consider not only whether other TAG members agree, but also how this rates against the TAG's other priorities, whether others are in a position to do a better job or work with us on this, etc. >> >> In any case, we'll give it some serious thought. Thank you for bringing this to my/our attention. >> >> Noah >> >> On 12/19/2011 6:58 PM, Henry Story wrote: >>> I agree on the importance of this. >>> >>> Btw, just as important as that the CA system is broken is that DNS is broken. >>> DNSsec has now been deployed I believe, and it is up to the browsers to >>> implement it into the stack. As that is done and simultaneously you then >>> strengthen and bypass the CA system by placing keys into the DNS. This is >>> what the DANE folks at the IETF are working on. Here is their latest draft >>> spec: >>> >>> http://tools.ietf.org/html/draft-ietf-dane-protocol-13 >>> >>> This will allow: >>> 1. CAs to be double checked by a signature from the DNS >>> 2. Bad and untrustworthy CAs cannot break the whole sytem >>> 3. It allows self signed certificates to work >>> >>> I suppose browsers are putting energy into implementing this or >>> some variant of it. >>> >>> So that does not fix the corrupt regime problem, but it at least >>> it makes political players not disinterested in the solution. Those >>> solutions can then be further re-enforced by the solutions you propose >>> below. What is clear is that we all these solutions are moving towards a web >>> of trust. The original trust givers were initially the CAs, next they will >>> be CAs and DNSsec, then they will be them and whichever other group you trust. >>> >>> On the client side this is what WebID is building on. ( http://webid.info/spec ) >>> >>> Henry >>> >>> On 20 Dec 2011, at 00:44, Harry Halpin wrote: >>> >>>> While I understand the CA system is somewhat outside your usual remit, >>>> let me add this to your pile of woes. I'm doing this because 1) the >>>> system has so stunningly came apart at the seams last year that it >>>> seems all parties involved in the Web (ISOC, W3C, etc.) should be >>>> actively looking at this issue and 2) there are now three different >>>> proposals for fixing this. >>>> >>>> There's currently a giant gaping security issue on the Web, namely >>>> that the it's quite easy to fake the root certificates of a CA and so >>>> compromise TLS connections - and thus most high-value transactions on >>>> the Web in a way that is *very* hard to detect. For a detailed >>>> explanation of the problem, Moxie of Whisper Systems has an excellent >>>> video [1]. There's been a number of very high-profile compromises, >>>> such as the Diginotar [2] and Comodo attacks [3]. Overall, probably >>>> problem #1 for security on the Web. It undermines all financial >>>> transactions on the Web - I'd bet money Paypal stays awake at night >>>> thinking about this. It's also a life and death situation for human >>>> rights activists in Syria, Iran, and elsewhere - who may not stay >>>> awake another night if the cert for their Gmail or Facebook account is >>>> faked. >>>> >>>> Now, over the last weeks I've seen about 3 different proposals that >>>> are quite serious: >>>> >>>> 1) Google's Proposal (Ben Laurie and Adam Langsley): Basically make a >>>> public audit log of registered certs, and then the client/domain >>>> owners can check their certs versus that log. That probably has some >>>> browser component for checking all of this [5]. >>>> >>>> 2) Sovereign Key proposal from EFF (Peter Eckersley): Similar to >>>> Google's proposal but more complex, uses an audit log of a "Sovereign >>>> Key" rather than certs [4] >>>> >>>> 3) Convergence Proposal from Whisper Systems/Twitter (Moxie >>>> Marlinspike): Features a more decentralized CA-like system with >>>> user-based "trust agility" where users can choose which CA-like >>>> "notary" to trust via browser [6] >>>> >>>> At TPAC, I talked to some of the browser team folks about this, >>>> everyone agreed the CA/Browser Forum is dysfunctional (i.e. a front >>>> for the current broken CA system) and they would be happy to see W3C >>>> or someone move in this space [6]. Google notes "We now have an >>>> outline of the basic idea and will be continuing to flesh it out in >>>> the coming months, hopefully in conjunction with other browser >>>> vendors." [5] >>>> >>>> So maybe time for W3C to move? While I understand the TAG only makes >>>> "findings", I suggest that given the overlap between the Google and >>>> EFF proposal, I'm pretty sure there's a solution space going on here >>>> even if it's outside of the TAG's expertise, and that solution space >>>> will probably involve - browsers, and interaction with the CA/Browser >>>> Forum.. Sounds like it's time for W3C to make a move. I'd do an >>>> analysis of the topic, but also suggest that this problem is big >>>> enough to warrant getting folks together on ASAP. >>>> >>>> Who: I'd suggest that we return to the idea of hosting a workshop on >>>> this topic, and since it's a large topic, I suggest W3C co-host with >>>> the CA/Browser forum and maybe ISOC/IAB. >>>> When: Soon as possible. >>>> >>>> [1]http://www.youtube.com/watch?v=Z7Wl2FW2TcA >>>> [2]http://www.guardian.co.uk/technology/2011/sep/05/diginotar-certificate-hack-cyberwar >>>> [3]http://news.cnet.com/8301-1009_3-20050503-83.html >>>> [4]https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure >>>> [5]http://www.imperialviolet.org/2011/11/29/certtransparency.html >>>> [6]http://convergence.io/ >>>> >>> >>> Social Web Architect >>> http://bblfish.net/ >>> >>> >>> >> >> Social Web Architect http://bblfish.net/
Received on Thursday, 22 December 2011 14:56:32 UTC