IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Nico Williams <nico@cryptonector.com> Thu, 13 February 2020 17:56 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F33E81200C3 for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 09:56:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prHXggX9pBAM for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 09:56:37 -0800 (PST)
Received: from bisque.elm.relay.mailchannels.net (bisque.elm.relay.mailchannels.net [23.83.212.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD274120058 for <saag@ietf.org>; Thu, 13 Feb 2020 09:56:36 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 22DEC21496; Thu, 13 Feb 2020 17:56:36 +0000 (UTC)
Received: from pdx1-sub0-mail-a21.g.dreamhost.com (100-96-217-4.trex.outbound.svc.cluster.local [100.96.217.4]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 5DCE521AC9; Thu, 13 Feb 2020 17:56:35 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a21.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 13 Feb 2020 17:56:35 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Harbor-Dime: 292a1dd5208f6c92_1581616595699_937956621
X-MC-Loop-Signature: 1581616595698:3001129430
X-MC-Ingress-Time: 1581616595698
Received: from pdx1-sub0-mail-a21.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a21.g.dreamhost.com (Postfix) with ESMTP id 6242D7EFC0; Thu, 13 Feb 2020 09:56:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=8zoRKfVaVbphNA/23L/cfnnrAyw=; b=XJ2ry7c7WAU jQsuvxjXSkUL5w/MyER2qBINr6iP4SR8a9S9avmikAJWRr24cOPL03Dnat8CP7Bi hM9k1L+hfQ1FEl9mWVZAEcez+alSz+19s5OXQFuhwjPyMAMqBlo7J64/uGMHtbZT DfWIjbLELFhW3uS5E0hd7WXGjo26hHXA=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a21.g.dreamhost.com (Postfix) with ESMTPSA id 3BB297F0D7; Thu, 13 Feb 2020 09:56:29 -0800 (PST)
Date: Thu, 13 Feb 2020 11:56:27 -0600
X-DH-BACKEND: pdx1-sub0-mail-a21
From: Nico Williams <nico@cryptonector.com>
To: trutkowski@netmagic.com
Cc: Tony Finch <dot@dotat.at>, Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Message-ID: <20200213175626.GR18021@localhost>
References: <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <20200212002125.GO18021@localhost> <alpine.DEB.2.20.2002131443470.25433@grey.csi.cam.ac.uk> <20200213171324.GP18021@localhost> <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieekgddutdekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggugfgjfgesthekredttderudenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/8PMvBwnhwdXic2LLpXWBl11Ev1g>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 17:56:39 -0000

On Thu, Feb 13, 2020 at 12:34:12PM -0500, Tony Rutkowski wrote:
> We have had hierarchical trusted name systems for a while.  PSTN numbers
> still serve that function - which drove ENUM.
> 
> The old idealized legacy DNS model arguably disappeared with vigorous
> competition among alternative root servers, e.g, 1.1.1.1, 8.8.8.8, etc.

The registries and registrars haven't changed.  The quad-Ns have not yet
balkanized the namespace.  They could, and they might, but it'd be
awfully controversial, and it's not likely to happen.

Moreover, DNSSEC still prevents namespace balkanization, and the quad-Ns
aren't yet replacing the root keys with their own.  Nation states _can_
pull this off because they can force people within their jurisdictions
to use balkanized DNS.  And quad-N providers might even provide that
service to nation states, but we're not there yet, and that's not
evidence that a global namespace is bad.

> Then there is also the shift to E2E MEF Ethernet...or with DONA's Handle
> System.
> 
> All of this arguably underscores the continuing need for a trusted PKI
> cert.  As you note, sovereign registries have value.

The registries need not be sovereign, but the dispute resolution
mechanisms they tie into must be.

Users need ways to establish trust.  Person-to-person (or device-to-
device) trust establishment is amenable to TOFU, but customer-to-
provider trust is not really.  The latter requires a namespace that
users can navigate to find -ultimately- where to bring civil suit if
need be.

Nico
--

v2.23.0 | Report a Bug | By Email