IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Henry Story <henry.story@bblfish.net> Tue, 22 February 2011 09:17 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4360A3A67AF for <keyassure@core3.amsl.com>; Tue, 22 Feb 2011 01:17:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.111
X-Spam-Level:
X-Spam-Status: No, score=-3.111 tagged_above=-999 required=5 tests=[AWL=-0.112, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0YAG4YUVcsR for <keyassure@core3.amsl.com>; Tue, 22 Feb 2011 01:17:09 -0800 (PST)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by core3.amsl.com (Postfix) with ESMTP id DAF203A67A5 for <keyassure@ietf.org>; Tue, 22 Feb 2011 01:17:08 -0800 (PST)
Received: by bwz12 with SMTP id 12so3440559bwz.27 for <keyassure@ietf.org>; Tue, 22 Feb 2011 01:17:51 -0800 (PST)
Received: by 10.204.32.216 with SMTP id e24mr2226663bkd.204.1298366271428; Tue, 22 Feb 2011 01:17:51 -0800 (PST)
Received: from bblfish.home (ALagny-751-1-8-99.w86-218.abo.wanadoo.fr [86.218.107.99]) by mx.google.com with ESMTPS id j11sm4353756bka.0.2011.02.22.01.17.48 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Feb 2011 01:17:50 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <p06240804c988c84933b6@[169.223.137.111]>
Date: Tue, 22 Feb 2011 10:17:44 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <B6315D18-AE32-4CE8-A7A5-7D155C1F259B@bblfish.net>
References: <E1PqbpT-0000pd-Kz@login01.fos.auckland.ac.nz> <alpine.LFD.1.10.1102201747370.26752@newtla.xelerance.com> <4D619C94.8090702@vpnc.org> <93E9FABD-A84A-4A4E-AF96-6E101604F8B4@bblfish.net> <p06240803c98892e88fc4@[59.188.192.152]> <1FAB667F-44F9-4349-B11B-F4FECD51BB81@bblfish.net> <p06240804c988c84933b6@[169.223.137.111]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1082)
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>, keyassure@ietf.org
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2011 09:17:10 -0000

On 22 Feb 2011, at 03:00, Stephen Kent wrote:

> At 12:49 AM +0100 2/22/11, Henry Story wrote:
>> ...
>> >
>>> Do you mean "identifies" or "authenticates?" I think most folks view the DNS name (or URL) as the identity of the web site.
>> 
>> Partly. The DNS domain name is a name that one could think of as referring to a set of services, each of those having a name of the form name:port. The relation between the service name and the public key forms an identifying description, or I should say  a definite description  as it is known in philosophy. I used the following example:
>> 
>>  name:port knowsPrivateKeyof pubK
> 
> I don't think that most users, who often can't even tell if they have contacted a TLS-secured site, would think of a public key as part of the identity for the service. I also don't think that most of them think about the port either.

I was not speaking to most users but to this group of security specialists during a discussion on a protocol. The public key is a definite description that uniquely identifies the agent for the purpose of computers, not for the general public.

> 
>> That sentence does not authenticate, it describes. But it is part of the TLS authentication protocol. Authentication is the process that uses that information to prove the authorship of the messages sent down a socket.
> 
> once the TLS session has been established, it is symmetric crypto, using a key
> delivered or derived using a public key (or pair thereof) that provides the
> data origin authentication and connection-oriented integrity guarantees to
> which you allude.

I am aware of symmetric cryptography's role. But it is public key cryptography that is core in authenticating the server, and setting up the symmetric crypto channel. Symmetric cryptography is used because it is less cpu intensive.

> 
>> > We're debating the mechanics of how to enable a client to verify that the asserted identity matches the client's expectations, based on the content of a series of DNS records.
>> 
>> Yes, that is what the next part of my e-mail was describing the logic of. Now in the case of server identity the client knows what it wants the server's identity to be, since it initiated the call, went to DNS, found the ip address, and connected. The clienet can then use the public key found in DNS (or returned  by the server) to authenticate the service it is connected to.
> 
> right.
> 
> Steve

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email