Re: [dane] Classic PKI and DANE in harmony

[Phillip Hallam-Baker <hallam@gmail.com>]

On Wed, Jun 12, 2013 at 9:08 AM, Ben Laurie <benl@google.com> wrote:

> On 12 June 2013 13:31, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
> > A second advantage is that it enables discretion. Any security check that
> > you implement in the browser has to be reduced to a set of codified,
> > completely standard rules. The spam filtering companies don't take that
> > approach, they have a more tactical scheme making use of heuristic data
> and
> > actively change their strategy in response to changes in opposition
> tactics.
>
> Fair points. I note, though, that you still end up configuring every
> light bulb...


I do that once and the protocol allows the configuration to be done with a
smart phone with a QR code reader capability:

http://tools.ietf.org/html/draft-hallambaker-wsconnect-02

I don't think it is practical to expect a light bulb to have a full IP
stack let alone DANE. but it is possible for them to consume DANE and PKIX
trust assertions if there is a secure way to delegate those choices to
another device.

More likely the light bulb is plugging into some low bandwidth, short range
wireless network. So what you would want is not connecting to Omnibroker
but some sort of general 'home automation' center that will tell the
lightbulb how and where to plug into the local site infrastructure.

After realizing that I chopped the Omnibroker protocol into two parts. The
difficult design decisions are all in the JSON Connect (JCX) Web Service
which makes it easy to establish that initial authenticated connection to a
trusted Web Service (which can be of any type at all). Omnibroker is then
simply one protocol that makes use of JCX to establish the long term trust
connection.


> The broker can be required to hand over all the data used to make its
> > decision.
>
> Not much use if the client can't check it? The advantage of a CT (or
> RT)-like scheme is that anyone can check it, and all the client needs
> to be able to do is check consistency...
>

Come on, you point out yourself that you only need a handful of browsers to
perform CT checking in order for CT to be largely effective at detecting a
major CA breach.

People who don't trust their broker can run a browser that revalidates the
chains locally. But as we all know, even a browser with local DNSSEC
validation is going to sometimes need help making sure it gets DNSSEC data
to work from. So running the omnibroker just as a path discovery agent is
still valuable.

But for the general consumer, they actually trust us to decide what
programs run on their machines at all. CertSentry, the Comodo
Ombinbroker-like application is currently bundled on the anti-virus
product. The expectation is that that Omnibroker will eventually replace
the proprietary protocol in CertSentry 1.0 to power the next generation.


-- 
Website: http://hallambaker.com/