Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Hi David

I have been thinking about the question you posed below, and my response 
is just below it

Kemp, David P. wrote:
> David,
> 
> I have to agree with Stefan and Steve on this.
> 
> 1) DNS may be mis-trusted (falsely treated as a trusted entity)
> with disastrous results, but properly designed applications would
> permit PKI to fix that, not fail because of it.  A signed object
> containing a DNS name permits detection of DNS failures.
> 
> Any purely DNS-based identity registration process is, of course,
> as weak as DNS itself, so PKI at a minimum would have to use
> something like credit card identity proofing through multiple
> channels (physical mail of a registration secret + home
> telephone activation) if it wishes to claim better assurance
> for real (vs. pseudonymous) identities than that provided by DNS.
> 
> 2) It is not the REST model that is of concern - short CRLs,
> OCSP responses, or their signed SAML equivalents could be
> retrieved just as easily using RESTful requests (SOAP/resource)
> as with LDAP, CMC, or SOAP/RPC.  As Stefan says, it is the
> signed object generated by a trusted PKI component that counts,
> not the method by which it is obtained.  Of course, a CA
> with any particular level of assurance could operate a WebDAV
> interface that yields the same results as its CRLs, but you
> intend WebDAV revocation responders to not be limited
> to CAs, thus greatly expanding the attack surface of the system.
> 
> Is there a way to leverage all three portions of the proposal
> (REST conceptual model, REST protocols, and naming models)
> while preserving the end-to-end (PKI to consumer application)
> properties of signed objects?


One solution would be for the cert URL to point to the certificate and 
the revocation URL to point to the CRL for this certificate, in which 
the following states hold:


Certificate exists and is valid: certificate at certificate URL and 
empty CRL at rev URL
Certificate exists and is revoked: nothing at certificate URL and CRL 
with single entry at rev URL.
Certificate not issued: nothing at either URL (URLs probably not defined)

In this way you have cryptographic proof of the state of the 
certificate, and each certificate has its own stateful resource URLs.

What do you think?

regards

David


> 
>>> What the webdav scheme gives you is instant revocation
>>> status, which CRLs do not give you, but the tradeoff is 
>>> having to trust the repository.
> 
> If "instant" is the goal, I believe it would be better
> achieved by morphing the repository into a basic assurance
> PKI component with its own keys.  A CA's CPS can document
> any deliberative process it wants (including none) before
> revoking certs, thus permitting delegated responders
> (WebDAV or other) to achieve any desired tradeoff between
> response time and accuracy.
> 
> V/R,
> Dave
> 
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************