Re: Using DNS system as a Global Root Certificate Authority - possible ?
Phillip Hallam-Baker <phill@hallambaker.com> Sun, 27 December 2015 04:17 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061DB1B2A0A for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 20:17:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.122
X-Spam-Level:
X-Spam-Status: No, score=0.122 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebtqQOtIPEJn for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 20:17:46 -0800 (PST)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8486A1B2A10 for <ietf@ietf.org>; Sat, 26 Dec 2015 20:17:45 -0800 (PST)
Received: by mail-lf0-x231.google.com with SMTP id y184so185021844lfc.1 for <ietf@ietf.org>; Sat, 26 Dec 2015 20:17:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=oDA/BCZGMcefCv1F0eoaI85h41iKVNNNOm077rRqbBY=; b=vgOxHVQc8Z7NOEDa5VNRDlBqOIr1t+71gwVUxE1YtxkhKeNv7ytnrc80fHA5FluI3T aGM73IN48NiC286M5Ql6qx4fRTrTOAeeNDspqgECvwE/cAvhRqJU+dD81FxsaPAWqRuD gw4yM30kYtTVtZlPkNrglJTgQDM5uPaxhw1+icA6pwP/8z59lVhgIMh3ozoCbdiFcgxx QLVTU8sItZrxDK/52xZQynmkmcCfcXqmrhFBSlI6z50KVLrF5qsXDYJ7nTG03Pb0Vnn6 aIwhW741syYV6aIY7o+HItxyk5jR0hDi/vYFZ/JSphz0A2wJJAKqz1qCCmfNC1sypDrJ RZkw==
MIME-Version: 1.0
X-Received: by 10.25.30.5 with SMTP id e5mr13290988lfe.48.1451189863705; Sat, 26 Dec 2015 20:17:43 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.33 with HTTP; Sat, 26 Dec 2015 20:17:43 -0800 (PST)
In-Reply-To: <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.com> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
Date: Sat, 26 Dec 2015 23:17:43 -0500
X-Google-Sender-Auth: iinQx2K9KHkws9XnV8FnA8QCqow
Message-ID: <CAMm+Lwhr031q3MS_27rA13Fqew5JPLBZ9yjDTzuRdoNXCSt3Mw@mail.gmail.com>
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: John C Klensin <john-ietf@jck.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/FwnacxlIMXflKYSKbP-I_VLYkfo>
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 04:17:47 -0000
[Try the second] On Sat, Dec 26, 2015 at 10:11 PM, John C Klensin <john-ietf@jck.com> wrote: > > > --On Saturday, December 26, 2015 9:52 PM -0500 Phillip > Hallam-Baker <phill@hallambaker.com> wrote: > >>... >> One of the issues people don't seem to consider in these >> schemes is that merely reducing the number of trusted >> intermediaries from ~40 to one doesn't actually remove >> reliance on trusted third parties, it merely removes all >> choice in the matter. > > And even that equation tends to be complicated by the > observation that the trust relationship, as far as certification > of identity is concerned, is with the registrars (and, in some > cases, their agents and resellers) rather than with the > registries. At that point, the number of trusted intermediaries > gets back toward order 40 or 100, not one, unless the question > is "do you control this domain" rather than "are you who you say > you are". The question the WebPKI was designed to answer is 'are you accountable'. The original brief was to make buying 'stuff' online as safe as in person at a bricks and mortar store. The basic approach was to establish a degree of accountability, to make it infeasible for an attacker to acquire credentials at a rate that would make online fraud profitable. One of the things that irritates me is that in the original design, one of the principal controls used to ensure this goal was met was revocation, canceling credentials when a party defects. I can't stop a criminal registering a business but I can pull their certificate in 24 hours. But the applications don't see the need for this particular control or at least not in a fashion that is actually effective.. Which is rather odd since if there actually was a trust crisis in the WebPKI you would expect that complaints about insufficiently fast revocation would be at least as loud as complaints about mis-issue.
- Using DNS system as a Global Root Certificate Aut… Alexey Eromenko
- Re: Using DNS system as a Global Root Certificate… Warren Kumari
- Re: Using DNS system as a Global Root Certificate… Alexey Eromenko
- Re: Registrant identity, was Using DNS system as … John Levine
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Viktor Dukhovni
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… Eliot Lear
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta