Re: [pkng] Where to go? What to do?

Massimiliano Pala <Massimiliano.Pala@Dartmouth.edu> Fri, 01 October 2010 20:45 UTC

Return-Path: <Massimiliano.Pala@Dartmouth.edu>
X-Original-To: pkng@core3.amsl.com
Delivered-To: pkng@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D6043A6E54 for <pkng@core3.amsl.com>; Fri, 1 Oct 2010 13:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.312
X-Spam-Level:
X-Spam-Status: No, score=-5.312 tagged_above=-999 required=5 tests=[AWL=-1.087, BAYES_00=-2.599, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_MED=-4, URIBL_RHS_DOB=1.083]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRqqZ6njDkD1 for <pkng@core3.amsl.com>; Fri, 1 Oct 2010 13:45:44 -0700 (PDT)
Received: from mailhub2.dartmouth.edu (mailhub2.dartmouth.edu [129.170.17.107]) by core3.amsl.com (Postfix) with ESMTP id 2D3B33A6E66 for <pkng@irtf.org>; Fri, 1 Oct 2010 13:45:44 -0700 (PDT)
Received: from newblitzen.Dartmouth.EDU (newblitzen.Dartmouth.EDU [129.170.208.36]) by mailhub2.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id o91KV2qi009588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <pkng@irtf.org>; Fri, 1 Oct 2010 16:46:26 -0400
X-Disclaimer: This message was received from outside Dartmouth's BlitzMail system.
Received: from dhcp-212-226.cs.dartmouth.edu [129.170.212.226] by newblitzen.Dartmouth.EDU (Mac) via SMTP for pkng@irtf.org id <177897129>; 01 Oct 2010 16:46:26 -0400
Message-ID: <4CA64938.5090809@Dartmouth.edu>
Date: Fri, 01 Oct 2010 16:48:56 -0400
From: Massimiliano Pala <Massimiliano.Pala@Dartmouth.edu>
Organization: Dartmouth College / OpenCA Labs
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.0.7-1.fc12 Lightning/1.0b2pre Thunderbird/3.0.7
MIME-Version: 1.0
CC: pkng@irtf.org
References: <p06240825c8c7fd5ca338@[10.20.30.163]> <4CA63F67.4010101@Dartmouth.edu> <4CA643C9.9040509@fifthhorseman.net>
In-Reply-To: <4CA643C9.9040509@fifthhorseman.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040203050601000103050105"
X-MailScanner: Found to be clean by mailhub2.dartmouth.edu
X-MailScanner-From: massimiliano.pala@dartmouth.edu
Subject: Re: [pkng] Where to go? What to do?
X-BeenThere: pkng@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Public Key Next Generation \(PKNG\) Research Group" <pkng.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/pkng>, <mailto:pkng-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/pkng>
List-Post: <mailto:pkng@irtf.org>
List-Help: <mailto:pkng-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pkng>, <mailto:pkng-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 20:45:47 -0000

Hi Daniel,

On 10/01/2010 04:25 PM, Daniel Kahn Gillmor wrote:
[..]
> Though we most likely aren't using the protocols you describe (we're not
> even relying on X.509), we actually already have something like this up
> and running.  The Monkeysphere project (http://web.monkeysphere.info/ --
> i'm one of the developers) uses the P2P SKS keyserver network to
> distribute OpenPGP certificates, which are in turn used to authenticate
> netork peers (primarily HTTPS and SSH at the moment).

It seems to me a good start.. I think we both were going in a very similar
direction although I am more oriented in supporting more classical PKIs
to better address scalability, in my experience PGP tends to work great
in small communities but not so well in large-scale open environments.

My system works best when there's a central body that would provide some
rules (federation) for trusting a set of CAs (eg., Grid Computing). The
user would need to trust the Federation's certificate (and potentially
set a usage context for trusting that particular federation).

> We treat any existing X.509 certificates as raw carriers for public key
> material, and authenticate the material through the OpenPGP Web of
> Trust.  This means using the same PKI (the WoT) for mail, web browsing,
> and SSH, which means we have the potential for intuitive UI
> consolidation that humans might be able to understand.

I do really like your approach to support usable UIs - I think that by
fixing the issues at the lower layer (thus simplifying the interaction
with trust infrastructures) we can provide users (and developers) with
easier to understand and clean UIs.

> It also means that multiple authorities can choose to certify the same
> entity, which breaks one of the big stumbling blocks in the way the
> X.509 arrangement is currently set up.  (single-certifier certificates
> cause CA lock-in for many parties; CA lock-in dramatically increases the
> risk of compromise of authenticated networked communications).

Not sure I understand this comment. I can go and have my keys certified
by different CAs. The different usage and issuer will provide me with
different trust levels depending on the context. I would say that today
it is difficult to express the "context".

> I (and the rest of the Monkeysphere team) would welcome any criticisms,
> suggestions, or concerns you have about this project.  The system is
> already in use, and we hope to see it grow healthily.

I think it is great that you already deployed such a system. Personally,
if the intent is to provide support for Internet-wide environments, I
would move away from PGP.. although, the support system, could be totally
independent from the format and just act as a discovery system for the
specific technology used. In other words, I think the PKS should provide
support for different PK technologies at the same time - is that possible ?
Well.. that's our work to find out, isn't it ?


-- 

Best Regards,

	Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                   openca@acm.org
                                                  project.manager@openca.org

Dartmouth Computer Science Dept               Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory                          Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
							   -- Isaac Asimov