IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Tony Rutkowski <trutkowski.netmagic@gmail.com> Thu, 13 February 2020 18:18 UTC

Return-Path: <trutkowski.netmagic@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94FAD1201A3 for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 10:18:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oq-SFW6hFS4t for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 10:18:44 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BF4E12018B for <saag@ietf.org>; Thu, 13 Feb 2020 10:18:43 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id d11so6585162qko.8 for <saag@ietf.org>; Thu, 13 Feb 2020 10:18:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:reply-to:subject:to:cc:references:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=OLTnqWKBlS2V70SzbFpeYbHYNbuG+wn1diqMtIL60rQ=; b=nOTpNUZ2u2C5VzV1AXMWFpHIPO3dykOR+P270ONdlHiAjrGa/ziz6La57xibCiymQG wOxOneA+ptVKNrgwHZ/fcrvRfhjxnWO88tiiZjvXdo+HvZSX7i4n/EloGYEk9w35Fb3L Zhzvu5fNBif1jzNF1pC95aEp1a5i/iCzHrVlxwB2cwDwzqQlfcuAt6etqvVe0CY6CY1A AFOXw7ITuL9LU+G5dYwIpA3J//+UmIsMhK92IAI3LEWABOgF97xgMjuJe1Epa4QvoYFA ggHUApq/uYcCkOutwrAYPRUXNPbPQW3hEMMn2cH4KowzjCEVYgh/KmipRHaouOXg+y7R 53pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:reply-to:subject:to:cc:references :organization:message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=OLTnqWKBlS2V70SzbFpeYbHYNbuG+wn1diqMtIL60rQ=; b=GkGqTuTt76ssg3sx2CZA6FUBMDxPi7ZQx7vmEnBlL6UzxscUK9GkUsy0IvFQsk/jh/ VUx6oAGVtfI/sny2J1GsZQBbtyw4mPQIxxrETUzT/Yf6Q9GzWxYMiaiExvTfRsyLYsnx e2IUuUBmJuOOs7SssQEUqhUi8RkxDLSRHLSP8Gl87eMfh/XaStYXl5lnU5X3tn6Sreqb 9zpJfH033rXyRMA+4RwTBtm5SmuKCPiLGRvveHM0hH24vozCc27XXk94baAE5/eXhhMO x3dpWXy6sbLWLDKJAZRmlI/jPcnTjzbPrS769zFwCCJhIOHEt+CFqvzqLbWWip+VlNC+ p6vg==
X-Gm-Message-State: APjAAAUCxBVEzxwoBMf84AS2UcG96Hy38//voDbOUpnpE2BvkndpyW0S wWJh5l0QvPiqCBa1kVmvv5wPdtO/
X-Google-Smtp-Source: APXvYqyuLn7UA+ta8exqIVwyuduUnQG7l2tfD4cfzJoA5wyVB1oq+uyJPRtF0sSxFGXBcbkAxvhRfg==
X-Received: by 2002:a37:6d47:: with SMTP id i68mr17031707qkc.228.1581617921592; Thu, 13 Feb 2020 10:18:41 -0800 (PST)
Received: from [192.168.1.53] (pool-70-106-222-98.clppva.fios.verizon.net. [70.106.222.98]) by smtp.gmail.com with ESMTPSA id s22sm1729813qke.19.2020.02.13.10.18.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Feb 2020 10:18:38 -0800 (PST)
From: Tony Rutkowski <trutkowski.netmagic@gmail.com>
X-Google-Original-From: Tony Rutkowski <trutkowski@netmagic.com>
Reply-To: trutkowski@netmagic.com
To: Nico Williams <nico@cryptonector.com>
Cc: Tony Finch <dot@dotat.at>, Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
References: <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <20200212002125.GO18021@localhost> <alpine.DEB.2.20.2002131443470.25433@grey.csi.cam.ac.uk> <20200213171324.GP18021@localhost> <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com> <20200213175626.GR18021@localhost>
Organization: Netmagic Associates LLC
Message-ID: <65357327-e2d7-89cc-221e-ed8ac2875048@netmagic.com>
Date: Thu, 13 Feb 2020 13:18:36 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <20200213175626.GR18021@localhost>
Content-Type: multipart/mixed; boundary="------------B31D43F7755E65E9E90AC6A6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/8CkX7e-jfECDlDJ-k5Q_fd9fPBI>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 18:18:48 -0000

Antitrust and tort liability are significant components here as well, 
and the support by sovereigns provides immunity.  Why antitrust 
enforcement or litigation hasn't occurred already, seems almost improbable.

The billions of OID tagged objects with certificates originally 
envisioned by Jim White and others at PARC, was predicated on immunity 
provided by sovereigns.  Indeed, the US portion of the namespace was 
covered by a DOC proceeding in 1992.  Two years later, the newly 
free-floating IANA would adopt a no trust approach to generate money for 
the growing DARPA DNS domain name business.  See 
http://www.circleid.com/posts/20180113_the_meeting_that_changed_the_darpa_datagram_internet/

--tony

On 2020-02-13 12:56 PM, Nico Williams wrote:
> On Thu, Feb 13, 2020 at 12:34:12PM -0500, Tony Rutkowski wrote:
>> We have had hierarchical trusted name systems for a while.  PSTN numbers
>> still serve that function - which drove ENUM.
>>
>> The old idealized legacy DNS model arguably disappeared with vigorous
>> competition among alternative root servers, e.g, 1.1.1.1, 8.8.8.8, etc.
> The registries and registrars haven't changed.  The quad-Ns have not yet
> balkanized the namespace.  They could, and they might, but it'd be
> awfully controversial, and it's not likely to happen.
>
> Moreover, DNSSEC still prevents namespace balkanization, and the quad-Ns
> aren't yet replacing the root keys with their own.  Nation states _can_
> pull this off because they can force people within their jurisdictions
> to use balkanized DNS.  And quad-N providers might even provide that
> service to nation states, but we're not there yet, and that's not
> evidence that a global namespace is bad.
>
>> Then there is also the shift to E2E MEF Ethernet...or with DONA's Handle
>> System.
>>
>> All of this arguably underscores the continuing need for a trusted PKI
>> cert.  As you note, sovereign registries have value.
> The registries need not be sovereign, but the dispute resolution
> mechanisms they tie into must be.
>
> Users need ways to establish trust.  Person-to-person (or device-to-
> device) trust establishment is amenable to TOFU, but customer-to-
> provider trust is not really.  The latter requires a namespace that
> users can navigate to find -ultimately- where to bring civil suit if
> need be.
>
> Nico

v2.23.0 | Report a Bug | By Email