Re: [pkng] Where to go? What to do?
Massimiliano Pala <Massimiliano.Pala@Dartmouth.edu> Fri, 01 October 2010 20:45 UTC
Return-Path: <Massimiliano.Pala@Dartmouth.edu>
X-Original-To: pkng@core3.amsl.com
Delivered-To: pkng@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D6043A6E54 for <pkng@core3.amsl.com>; Fri, 1 Oct 2010 13:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.312
X-Spam-Level:
X-Spam-Status: No, score=-5.312 tagged_above=-999 required=5 tests=[AWL=-1.087, BAYES_00=-2.599, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_MED=-4, URIBL_RHS_DOB=1.083]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRqqZ6njDkD1 for <pkng@core3.amsl.com>; Fri, 1 Oct 2010 13:45:44 -0700 (PDT)
Received: from mailhub2.dartmouth.edu (mailhub2.dartmouth.edu [129.170.17.107]) by core3.amsl.com (Postfix) with ESMTP id 2D3B33A6E66 for <pkng@irtf.org>; Fri, 1 Oct 2010 13:45:44 -0700 (PDT)
Received: from newblitzen.Dartmouth.EDU (newblitzen.Dartmouth.EDU [129.170.208.36]) by mailhub2.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id o91KV2qi009588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <pkng@irtf.org>; Fri, 1 Oct 2010 16:46:26 -0400
X-Disclaimer: This message was received from outside Dartmouth's BlitzMail system.
Received: from dhcp-212-226.cs.dartmouth.edu [129.170.212.226] by newblitzen.Dartmouth.EDU (Mac) via SMTP for pkng@irtf.org id <177897129>; 01 Oct 2010 16:46:26 -0400
Message-ID: <4CA64938.5090809@Dartmouth.edu>
Date: Fri, 01 Oct 2010 16:48:56 -0400
From: Massimiliano Pala <Massimiliano.Pala@Dartmouth.edu>
Organization: Dartmouth College / OpenCA Labs
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.0.7-1.fc12 Lightning/1.0b2pre Thunderbird/3.0.7
MIME-Version: 1.0
CC: pkng@irtf.org
References: <p06240825c8c7fd5ca338@[10.20.30.163]> <4CA63F67.4010101@Dartmouth.edu> <4CA643C9.9040509@fifthhorseman.net>
In-Reply-To: <4CA643C9.9040509@fifthhorseman.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040203050601000103050105"
X-MailScanner: Found to be clean by mailhub2.dartmouth.edu
X-MailScanner-From: massimiliano.pala@dartmouth.edu
Subject: Re: [pkng] Where to go? What to do?
X-BeenThere: pkng@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Public Key Next Generation \(PKNG\) Research Group" <pkng.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/pkng>, <mailto:pkng-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/pkng>
List-Post: <mailto:pkng@irtf.org>
List-Help: <mailto:pkng-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pkng>, <mailto:pkng-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 20:45:47 -0000
Hi Daniel, On 10/01/2010 04:25 PM, Daniel Kahn Gillmor wrote: [..] > Though we most likely aren't using the protocols you describe (we're not > even relying on X.509), we actually already have something like this up > and running. The Monkeysphere project (http://web.monkeysphere.info/ -- > i'm one of the developers) uses the P2P SKS keyserver network to > distribute OpenPGP certificates, which are in turn used to authenticate > netork peers (primarily HTTPS and SSH at the moment). It seems to me a good start.. I think we both were going in a very similar direction although I am more oriented in supporting more classical PKIs to better address scalability, in my experience PGP tends to work great in small communities but not so well in large-scale open environments. My system works best when there's a central body that would provide some rules (federation) for trusting a set of CAs (eg., Grid Computing). The user would need to trust the Federation's certificate (and potentially set a usage context for trusting that particular federation). > We treat any existing X.509 certificates as raw carriers for public key > material, and authenticate the material through the OpenPGP Web of > Trust. This means using the same PKI (the WoT) for mail, web browsing, > and SSH, which means we have the potential for intuitive UI > consolidation that humans might be able to understand. I do really like your approach to support usable UIs - I think that by fixing the issues at the lower layer (thus simplifying the interaction with trust infrastructures) we can provide users (and developers) with easier to understand and clean UIs. > It also means that multiple authorities can choose to certify the same > entity, which breaks one of the big stumbling blocks in the way the > X.509 arrangement is currently set up. (single-certifier certificates > cause CA lock-in for many parties; CA lock-in dramatically increases the > risk of compromise of authenticated networked communications). Not sure I understand this comment. I can go and have my keys certified by different CAs. The different usage and issuer will provide me with different trust levels depending on the context. I would say that today it is difficult to express the "context". > I (and the rest of the Monkeysphere team) would welcome any criticisms, > suggestions, or concerns you have about this project. The system is > already in use, and we hope to see it grow healthily. I think it is great that you already deployed such a system. Personally, if the intent is to provide support for Internet-wide environments, I would move away from PGP.. although, the support system, could be totally independent from the format and just act as a discovery system for the specific technology used. In other words, I think the PKS should provide support for different PK technologies at the same time - is that possible ? Well.. that's our work to find out, isn't it ? -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] openca@acm.org project.manager@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov
- [pkng] Where to go? What to do? Paul Hoffman
- Re: [pkng] Where to go? What to do? Stephen Farrell
- Re: [pkng] Where to go? What to do? Rene Struik
- Re: [pkng] Where to go? What to do? Massimiliano Pala
- Re: [pkng] Where to go? What to do? Massimiliano Pala
- Re: [pkng] Where to go? What to do? Daniel Kahn Gillmor
- Re: [pkng] Where to go? What to do? Massimiliano Pala
- Re: [pkng] Where to go? What to do? Massimiliano Pala
- Re: [pkng] Where to go? What to do? Daniel Kahn Gillmor