IETF Logo Mail Archive

Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00

Wei Chuang <weihaw@google.com> Wed, 23 March 2016 23:00 UTC

Return-Path: <weihaw@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D372812DA2E for <pkix@ietfa.amsl.com>; Wed, 23 Mar 2016 16:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aM_uqw4k_3Ez for <pkix@ietfa.amsl.com>; Wed, 23 Mar 2016 16:00:53 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 679F312DA2A for <pkix@ietf.org>; Wed, 23 Mar 2016 16:00:47 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id k1so38029623vkb.0 for <pkix@ietf.org>; Wed, 23 Mar 2016 16:00:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=7S5A8WE7CHNX9kMTl7UQj0ny0BHT1+S95kfS1TcHTLw=; b=FysO6bQS54gNIuwYqqwPmgOg/3nk+MY1ldjtvrVg1J7KOq4Qg7GT56sxq3DZ7qpjdm 19Z30azx6hoy981s80sBC9UT8bXZDLiSTypkRey6odWZD8OWFb3brpElP04q/yxlgxIX mPEpzLRM+deulCBTNDODa/AvTcgVSQQw9bF8FLz8e8WKJgiU9famB4BaoqyR/DNnferP PrXfmUJC8sjSrZUUlA9Sy41bRE7yOnOMAZl2JIrfSsM7Y9HAYG+I5jPirYRQ+T1t7DB7 nUnmfaR23jiBoWVFTh2N0pZl5ynbN445Rji4LO7nZhnnte0f2pJPYjAZFo5R8IozP/AM uwNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=7S5A8WE7CHNX9kMTl7UQj0ny0BHT1+S95kfS1TcHTLw=; b=SU4vkVAaEgLwJde5zm28jDiIE6A1Ec4X69Tvh6KXWA8pTChwdbSJMVpYJDUdcbWVvV bAMP2xk4ZccJnTwRHIQsh2FH/TfY3PSb+v9aas3bKerrPmHnR5NPWlYwnb8SH8PECTR8 zUlpmiv/GkLBqGV9urBlJnYOzHeNXhvY3jSfJ3FZ/R3cyP8OabXYFOguUUaV5YianSPL +sHUeYIPHh9DsFNOTuuKqa8FVGwX9FtFSK/kYeHybeSBQ6qzXXmuud54H0pxr53EjboQ zNeBl8iXTpDVM/8WhQ1Y1hZySIV9AnH9MjFDasn/Eq8IR+5KobVk6xjmvJftPXz5nR93 Svng==
X-Gm-Message-State: AD7BkJIeDbhG9t8/tdVaPs6gRmyczDVrLCSbCk6IUpXK2t0wDBYiUyUU2jInyrNvFQbLnWz9N4892wv8WKfUBCA3
MIME-Version: 1.0
X-Received: by 10.176.1.240 with SMTP id 103mr2636989ual.54.1458774046335; Wed, 23 Mar 2016 16:00:46 -0700 (PDT)
Received: by 10.159.36.179 with HTTP; Wed, 23 Mar 2016 16:00:46 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.11.1603231822170.5982@ary.lan>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com> <alpine.OSX.2.11.1603231431110.4624@ary.lan> <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org> <CAAFsWK1p-_HNYwM1B-p8MMo58u2hURW45ytKr_1f3h+XKDS5wA@mail.gmail.com> <alpine.OSX.2.11.1603231822170.5982@ary.lan>
Date: Wed, 23 Mar 2016 16:00:46 -0700
Message-ID: <CAAFsWK1ySBR0g8ETO1rCCS=AY386-fZdcxBGjU3RV1Kwfs7m4w@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="001a113cfa50d7385f052ebf4cd5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/bIPl5HNbnONsxYyP-ufq_IjfZho>
Cc: PKIX <pkix@ietf.org>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 23:00:57 -0000

On Wed, Mar 23, 2016 at 3:23 PM, John R Levine <johnl@taugh.com> wrote:

> Could Yahoo! (in this example) not provide a means for their users to
>> update the key lookup service?  As the user is authenticated through their
>> UI, he or she could upload the keys they want in a secure way.
>>
>
> Sure, and then Yahoo would serve the keys the users provide.
>
> R's,
> John
>
> PS: Except for the MITM keys intalled by government order or rogue
> employees.
>

If this is part of the threat model, Coniks has some ideas about auditing
key services against what they term equivocation or presenting different
keys to different users. The other aspect albeit in the far future one
could try to replicate what has been done with WebPKI which in my opinion
has been effective against those threats, and create a broad trusted anchor
eco-system with strong enforcement.

-Wei

v2.23.0 | Report a Bug | By Email