Re: [saag] post-X509 cryptographic identities

[Nico Williams <nico@cryptonector.com>]

On Thu, Feb 13, 2020 at 10:21:05PM +0100, Henry Story wrote:
> > On 13 Feb 2020, at 21:51, Nico Williams <nico@cryptonector.com> wrote:
> > DNS is very much also about registries and registrars, and that is where
> > the rubber (protocol) meets the road (international law).
> 
> I have seen no DNS registrar publishing anywhere near the rich type
> of information currently being published by companyhouse
> https://www.gov.uk/government/organisations/companies-house 

They have the information.  Whether or not to publish it is a policy
decision for the _registries_ and the sovereigns who have jurisdiction
over them.

> That is unlikely to happen either as DNS registrars are not in 
> the business of describing legal entities, and they would not 
> want to be liable for that type of information anyway. 

They could require, at registration time, permission to publish, though
they almost certainly wouldn't.  They could reserve the right to publish
it, or share it with researchers -- this most probably do.

> On the other hand it is the role of national company registrars,
> such as companyhouse.gov.uk to provide that.
> 
> It depends on what one considers a registrar.

Yes.

What's your proposal though?  To have us force them to publish this
data?  To replace DNS so we can force publication of this data?
Something else?  I'm confused.

> It’s a lot easier for state registrars to publish their data
> in extensible human and machine readable formats such as JSON-LD
> on HTTPS servers that in DNS. So that’s where it is happening
> and that’s where I expect it to continue happening.

Meh.  Either way.

> > DNS already has this by way of the registrars, which already have this.
> 
> Those are just special type of registrars. If you extend your
> view of registrars, then you will see that what is
> needed is to tie web sites (via DNS or HTTP headers or X509
> fields) to those that are ultimately responsible for the rich
> data that is needed, namely state based company or institution 
> registrars.

Who needs that?  The public?  Maybe.  The public needs trust, and that
could be transitive via the registries.  I don't think the public is
going to be able to review this metadata anymore than they can review
PKIX certificate and issuer metadata.  And having this metadata gets us
no closer to solving the WebPKI problems.

I'll make an assertion we can debate: it will be easier to earn user
trust if there's a proper rooted issuer chain mirroring the DNS (i.e.,
DNSSEC), but even then we'll need better regulation of registries by
nation states, and of registrars by registries and nation states.

> > Whether such metadata should be public or not is a policy matter for
> > each registry and associated governance framework (i.e., in the
> > registry's legal jurisdiction(s)).  The IETF should not mandate
> > publication of that data because publication is a policy matter, and the
> > IETF has no leverage to impose such a mandate anyways.
> 
> The IETF like the W3C takes on the role of building spaces for
> different groups to come to a consensus on some topic of relevance.
> Improving security on the internet and the web is relevant to both.
> I guess that the W3C is better equipped to help governments come
> to consensus with web browsers on ontologies. Nevertheless there
> would certainly be a role also at the IETF level too. In any case
> being aware of this possibility could help direct future work here.

We don't quite have the political reach to solve the legal problems.  We
can advise nation states.  We can attempt to create a replacement for
the DNS and once again create monopolistic registries that nation states
can then choose to regulate.  We probably cannot do much better than
that.

Nico
--