Re: [Bimi] Where do the signed certificates come from?

[Dave Crocker <dhc@dcrocker.net>]

Thede,

On 2/13/2019 8:38 AM, Thede Loder wrote:
>> On Feb 11, 2019, at 16:14, Dave Crocker <dhc@dcrocker.net 
>>     What is the basis for thinking that this will work?  At scale?
> 
> Some reasons in favor of scale:

A goal for my question is thoughtful and focused consideration of the 
issues.  Long lists of unanchored references don't achieve that, even if 
the list is in fact perfectly relevant.  This is an exercise for which 
giving the answer is simply not enough.  We need to show our work.


So...


> * Unlike 30 years ago, there are now 50+ Certificate Authorities 

30 years ago was a starting point.  My comment was about 30 years of 
history, not about the starting point.  And my point was that though 
X.500 certs were in fact originally intended to support this sort of 
certification of 'interesting' attributes, over that entire 30 year 
history, they have proved to be not up to the task.

So the question is why this proposed use will enjoy a better outcome?

Also note that there are massive problems with exposures and 
misbehaviors of the CA operator mix.  (Oddly, folks inside the security 
community seem unaware of these problems, while folks outside the 
security community seem to view them as obvious and massive.)


> spanning the globe and serving a mix of market consituents, large and 
> small.  Supporting VMCs are operationaly incremental.

This being a technical forum, I hope we can avoid marketing language. 
As for the technical point about being operationally incremental, I'm 
not sure what you mean.  Please be specific.


> * TLS certificates are well known to individuals and organizations large 
> and small.  They didn't even exist 30 years ago.

And yet the real-world semantics and efficacy of their use is 
impressively narrow, and there is widespread bypassing of the 
independent CA system.


> * the process for obtain a Verified Mark Certificate is largely the same 
> as obtaining a TLS certificate, and the extra steps will be readily 
> understood by those responsible for the management of intellectual 
> property.  (At least for the first type of alternative identity 
> contemplated)

The semantics for a VMC are significantly different than for a TLS cert. 
  The differences are important, as are the existing issues with getting 
and using a TLS cert.

For the most part, the usual, reasonable benefit of a TLS cert is a 
private connection to the site you intended. (And note that with the 
popular use of self-signed certs even that benefit has some important 
limitations.)

That's quite different from trusting a displayed mark to an end user.


> 
> * DNS scales (or we have bigger problems)

I'll guess this should translate into:  BIMI is built on top of an 
existing platform of services that are known to scale well.

That's not an irrelevant point, but it's also not an interesting one for 
this discussion, IMO, since that's not where the design and operations 
concerns are.


> * Internet users want it - clear demand

That claim keeps being made but I've never seen any serious 
documentation for it.

Worse is the question of efficacy.

What is the end-user benefit in having marks displayed?  I'll suggest 
you point at, and comment on, the considerable research about this point 
that was done when the BIMI effort started a couple of years ago.


> * there is no "rocket science" involved; the formats, process and 
> supporting technology are straightforward extentions  and analogous to 
> what is already in practice today

There is in fact quite a bit of rocket science.  There is even a basis 
for claiming that what is being attempted is beyond the state of the 
art, based on historical performance.

The problem with claiming things are rosy is in looking at this 
component or that rather than at the integrated system.


> * authentication schemes necessary for safe use a primary anticipated 
> application having 2 billion users is already widely supported

This seems to be another component-level comment, but I'm not certain.

Hoping that you are not commenting on the underlying crypto algorithms, 
I'll guess you mean SPF, DKIM and DMARC.  If so, note the considerable 
misunderstandings that are prevalent about their semantics and how much 
broader the semantic of Bimi is, which suggests even more serious 
misunderstandings.


> * trademarks scale.  There are ~2M design marks with the USTO, estimated 
> 20M world wide, and scalable processes and government support to handle 
> increased demands.  They have legal standing.  Registration 
> jurisdictions can be expressed as ISO country codes unambiguously

The internet is global.  How things work in a particular country are 
generally not that relevant to Internet standards work.

On this list already, others have have already raised some points about 
challenges in using trademarks within Bimi.  And this topic has been 
raised throughout the history of Bimi work.  To date I haven't seen any 
sort of comprehensive treatment of the concern that actually deals with 
it.  I believe that one of the submitted documents basically classes it 
as 'for further work'.

FWIW:

      The string 'mark' doesn't appear in 
draft-chuang-bimi-certificate-00, draft-chuang-bimi-certificate-00

      It appears in draft-brotman-ietf-bimi-guidance-00 in a 
hypothetical context.

      So I assume the serious effort on this is in the nascent Verified 
Mark Certificates Usage(*) document?


(Anecdote:  In the pre-ICANN IAHC, which developed the term gTLD, the 
model of registrar/registry split, and the concept of the UDRP, and for 
which I was the editor, our first meeting included the representative of 
the WTO suggesting we resolve the global DNS concerns about trademarks 
by using international trademarks.  Being on non-lawyer, I pretended 
ignorance, noting that I thought trademarks were only national 
constructs, and then I asked whether international trademarks already 
existed.  The WTO representative admitted they didn't but offered that 
discussions were underway.  I asked how long they had been going on for 
and he said 100 years.  So forgive me if I find myself rather more 
skeptical about resolution of this topic than one might wish...)


> To the point of an existence proof, it would be impossible to have one 
> prior to having it.  But do we think CAs can issue millions or even 
> billiions of VM Certs?  Sure.

My question really was about related work.  To the extent that Bimi 
relies on existing capabilities or makes relatively small adaptations to 
existing capabilities, the the only risk is in the increment.  To the 
extent that it is doing anything that really has no serious precedent, 
the risk is obviously larger.  The same holds for relying on existing 
work that in fact has proved problematic.

d/


(*) 
https://docs.google.com/document/d/1OzL9FqexZpZJQuoqAK2E3sXjOwEcLNCvXW7e88Olt2I/edit#heading=h.h31mzi4ac5st

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net