Re: What ASN.1 got right

[Nico Williams <nico@cryptonector.com>]

On Tue, Mar 02, 2021 at 01:45:59AM -0500, Phillip Hallam-Baker wrote:
> > I don't follow.  Given all the CPU, RAM, and storage available now, what
> > would you do differently?  Mesh, yes, I know, but, remind me how Mesh
> > uses all that extra HW that PKIX leaves on the table?
> 
> The original goal of the Mesh was to make computers easier to use by making
> them more secure.
> 
> WebPKI is really limited to authenticating organizations. Private key
> management considerations are pretty much out of scope. The assumption is
> that Alice has a public key pair which is stretched to separate keys for
> encryption and decryption.
> 
> The Mesh has a separate key for every function and for every device and
> application. So if Alice has a dozen machines connected to her Mesh, they
> each have separate encryption, authentication and signature keys. And they
> are all used for threshold operations which really don't fit into the RSA
> scheme of things.

But do you need to store a huge mesh on every device?  Where is all the
power of modern HW being used here?

> Introducing more keys allows me to deal with all the real world use cases
> that get ignored like what to do if Alice loses her phone, if she is
> planning to go through an airport in a hostile police state, etc. etc.
> 
> Sure, now I have the architecture, we could go back and spend ten years
> working out how to retrofit to PKIX. Or we could write some end to end
> secure applications that are exactly as easy to use as the applications
> people use today. I am talking about zero user impact security, zero trust
> models, etc.

I mean, Alice can have a private CA for her devices, with secret
splitting / threshold crypto used to spread that around, and/or secure
elements storing the keys or key shares, and yet all the devices might
not need to know all the other devices' keys because they might always
present EE certs chaining to her private CA.  The naming on the
certificates would be all pseudonymous perhaps, or real names encrypted
to a key specifically for that purpose that all of Alice's devices have,
so that she can identify them.

PKIX certificates are just bags of "extensions", so you can fit any of
that into it.  There's even an extension for encrypted naming, though I
forget right now what it's called, and it might not fit your needs.

(And yes, if a bad of random extensions + a signature is all one needs,
then ASN.1 is overwrought for it.  Just if you use JSON, please don't
make the schema for that overwrought either.)

> Social media where the service cannot read any of the posts.

But they give you the software you need to use it, right?

All these apps that claim to have end-to-end crypto, but where you have
to run an implementation you didn't write, so you don't really know if
there's a MITA or backdoor or whatever.

> > > If you want a decent PKI for user authentication you need to be
> > > willing to do Internet2 for PKI and do some blue sky research.
> >
> > No please.  That's how we got X.500 naming to begin with.  Subject Alt
> > Names exist because X.500 failed.
> >
> > SMTP and RFCx822-style email address naming killed X.400 because X.400
> > inherently meant an awful UX.  X.500 naming needs to die.
> 
> I come to bury X.500 naming, not to praise it.

+1

> People don't have DNS names and a majority of people on the planet can't
> afford $10/yr to rent one. And that tomato has sailed.

Well, certainly DNS naming is 1e6 times better than X.500.  But I agree
that for individuals it doesn't work.

> We need names that cost $0.10 for life. If we can get the price that low,
> we can get to universal coverage some day. We can find someone to pay even
> if the end user can't afford it.

+1.

> $10/yr is a thousand bucks over a lifetime. Won't be able to find someone
> to sign that check for the planet.

Well, most households pay for utilities, but I agree.