IETF Logo Mail Archive

Re: What are certificates fundamentally all about? [was: draft-turner-caclearanceconstraints-01.txt]

"Timothy J. Miller" <tmiller@mitre.org> Mon, 13 October 2008 14:26 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA4443A69CD for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 13 Oct 2008 07:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aGgW59TCYI-5 for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 13 Oct 2008 07:25:59 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id EA2FC3A67E3 for <pkix-archive@ietf.org>; Mon, 13 Oct 2008 07:25:58 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9DDeMbV097593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Oct 2008 06:40:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9DDeMVb097592; Mon, 13 Oct 2008 06:40:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9DDeAcS097580 for <ietf-pkix@imc.org>; Mon, 13 Oct 2008 06:40:21 -0700 (MST) (envelope-from tmiller@mitre.org)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id m9DDeA1Y014503 for <ietf-pkix@imc.org>; Mon, 13 Oct 2008 09:40:10 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id m9DDe9cS014492; Mon, 13 Oct 2008 09:40:09 -0400
Received: from [129.83.200.2] (129.83.200.2) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server (TLS) id 8.1.278.0; Mon, 13 Oct 2008 09:40:09 -0400
Message-ID: <48F34FB6.2020205@mitre.org>
Date: Mon, 13 Oct 2008 08:40:06 -0500
From: "Timothy J. Miller" <tmiller@mitre.org>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: swilson@lockstep.com.au
CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: What are certificates fundamentally all about? [was: draft-turner-caclearanceconstraints-01.txt]
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <48EFD404.6090602@lockstep.com.au>
In-Reply-To: <48EFD404.6090602@lockstep.com.au>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms050700090607020204060802"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Stephen Wilson wrote:

> Then you can subtly adjust the conception of a PKC as being "an 
> assertion of an entity’s key and a RELATIVELY STATIC identity IN A 
> DEFINED CONTEXT".  A flexible interpretation of "identity in a defined 
> context" embraces things like my identity as an chartered engineer, my 
> identity as a business owner, my identity as a health insurance 
> subscriber, my identity as a bank account holder.  In each of these 
> scenarios, it would be very powerful for me to carry a separate 
> dedicated certificate with which to sign specific types of transactions 
> (e.g. engineering test reports, tax returns, health insurance claims, 
> and payment instructions respectively).  That is, four different 
> certificates all independently registered and managed, tightly coupled 
> to regular customer relationship management processes, probably carried 
> on separate smartcards.

We have that; it's called SPKI/SDSI.  :)

> To illustrate the point, I don't actually see any reason in principle 
> why a PKC could not be used to assert my identity (or relationship) as 
> 'a person cleared to Top Secret' so long as that relationship is 
> relatively long lived; say a few months.  Path validation is a cinch: 
> the relationship I would have express in my PKC is with a particular 
> vetting agency, which would appear in the path, with a Policy OID in the 
> Subject PKC that specifies the clearance protocol.  The Public Key of 
> the vetting agency -- or a higher Root Key -- would be the trust anchor 
> needed in a whole class of applications processing my digital signature 
> applied to Secret documents.

However, that's a *lot* of work, infrastructure, and code needed to 
communicate an attribute the relying party can more simply look up in a 
directory at the time of the transaction, or that the relying party can 
have communicated to it as part of an authorization token (InfoCard, 
OpenID, SAML, WS-*, etc.).

These schemes have the advantage of accommodating both static, 
relatively static, and highly dynamic attributes, *plus* supports 
non-person attributes such as environment level, current threat posture, 
etc.

In short, you have to have the directory anyway for at least some 
attributes, so it's simpler in the long run to stuff *all* the 
attributes in there.

-- Tim

v2.23.0 | Report a Bug | By Email