Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

[mrex@sap.com (Martin Rex)]

Miller, Timothy J. wrote:
>
> > X.509/PKIX is defective because it breaks badly already on fraudulent
> > cert issuance (a weaker form of CA compromise) and can not cope at all
> > with CA key compromise.
> 
> Do you have an alternative to the technology, because AFAICT,
> no PKI standards recover well from a breach of trust.

The design flaw of PKI is that all CA keys are single points of
failure.  There is a complete lack of backup if one fails, or can
be made to fail.

Designing a technology with complete lack of a backup system seems
like a bad idea to me.  Like skydiving with only one single parachute,
or designing a large commercial passenger jet with just a single turbo-fan
engine (something which FAA might refuse to certify for good reasons).


The fact that _no_ existing PKI standards provide backup facilities
today is a mere technical defect that _could_ be fixed.



>
> Even the web of trust has issues; if a well-connected introducer is
> compromised, all descendent keys become suspect--which can potentially
> encompass all nodes in the graph.  This can be as devestating as a
> CA compromise, and would likewise require a re-execution of a large
> number of signing ceremonies.

I beg to differ.

When a well-connected introducer is newly compromised,
then this does not affect any trust relationships previously confirmed
by that introducer, only precludes adoption of trust for new relationships.

When a well-connected introducer turns out to have been never been
trust-worthy, it affects only those trust relationships where he
is the _only_ introducer (same effect as in single-key PKI models).


> 
> > The flaw with CRLs and OCSP is that it tries to infer, from a lack
> > of a revocation, that a certificate has been properly issued and is valid.
> > Evidently, this turned out to be a logical fallacy with respect to
> > real world usage scenarios.
> 
> Absent a trusted observer, there is no positive statement that can
> be issued by a CA that positively identifies only "valid" certificates.
> Given a trusted observer, why not make him the CA and be done with it?


Maybe because PKI(X) should be more about real-wold PKIs, and
less about Utopia.

Why should businesses and banks deal with accounting, audits and
fraud prevention, if they could simply use a system where fraud
is impossible.  As it turns out, it is impossible to create and run a 
"system where fraud is impossible" in the real world (even if they
wanted to), especially at a cost-level where business operation
makes sense.  So the second best approach is a security trade-off,
a system that makes business sense and can cope reasonably with
common real-world _operational_ problems, like software being subject
to bugs and staff being susceptible to social engineering, bribery
and threat/coercion.


I could imagine why crooks, hackers and certain agencies might not like
a backup scheme that makes subverting the PKI significantly harder.
But why should an engineer, and in particular one who understands and
cares about security, oppose addition of a backup scheme to address
the susceptibility of X.509 PKI to operational problems and risks
from the pesky (physical) real world?


-Martin