IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Nico Williams <nico@cryptonector.com> Thu, 13 February 2020 20:52 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EC312026E for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 12:52:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1fYziWs_Put for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 12:52:09 -0800 (PST)
Received: from fossa.birch.relay.mailchannels.net (fossa.birch.relay.mailchannels.net [23.83.209.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97741120096 for <saag@ietf.org>; Thu, 13 Feb 2020 12:52:09 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 065FF20DFC; Thu, 13 Feb 2020 20:52:09 +0000 (UTC)
Received: from pdx1-sub0-mail-a6.g.dreamhost.com (100-96-0-7.trex.outbound.svc.cluster.local [100.96.0.7]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 80C66211FD; Thu, 13 Feb 2020 20:52:08 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a6.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 13 Feb 2020 20:52:08 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Society-Chief: 32ca36442c6e59b8_1581627128787_1879222293
X-MC-Loop-Signature: 1581627128787:1442992669
X-MC-Ingress-Time: 1581627128786
Received: from pdx1-sub0-mail-a6.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a6.g.dreamhost.com (Postfix) with ESMTP id B41857EE69; Thu, 13 Feb 2020 12:52:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=x+pzHc0AWRALf2PGLNHdBzTzM8g=; b=AtciRdMRVAh RJQSN2seXT+/dhdLXl4B3+h0NSaNBO5rxTA3tZ0XuPkvxqFLQGRRQ08tmDCDCLO9 Eux+GJC/3h/QLdNOtcdb8Jvu7T6/w5uZyFEBx/TdOCTCfR4bBOcfBOWdNyVur5/i PWjTQ7ksrvv+5l6VNG1w0lYhBEBJyqSI=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a6.g.dreamhost.com (Postfix) with ESMTPSA id EF43F7EE44; Thu, 13 Feb 2020 12:52:01 -0800 (PST)
Date: Thu, 13 Feb 2020 14:51:59 -0600
X-DH-BACKEND: pdx1-sub0-mail-a6
From: Nico Williams <nico@cryptonector.com>
To: Henry Story <henry.story@gmail.com>
Cc: trutkowski@netmagic.com, Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Message-ID: <20200213205158.GT18021@localhost>
References: <26497.1581418516@dooku> <20200212002125.GO18021@localhost> <alpine.DEB.2.20.2002131443470.25433@grey.csi.cam.ac.uk> <20200213171324.GP18021@localhost> <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com> <20200213175626.GR18021@localhost> <65357327-e2d7-89cc-221e-ed8ac2875048@netmagic.com> <A91F5BD6-BFBA-4BA7-9158-3F41A8F0F7D9@gmail.com> <20200213191952.GS18021@localhost> <9FEBBD2A-3578-436A-92E3-192CADC9FA8B@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <9FEBBD2A-3578-436A-92E3-192CADC9FA8B@gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieekgddugeegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtugfgjggfsehtkeertddtreejnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/DNZCoXiONBITXNx6JM18bQRpdLk>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 20:52:12 -0000

On Thu, Feb 13, 2020 at 09:33:47PM +0100, Henry Story wrote:
> > Yes.  But would any alternative look that different to the current
> > DNS?  I am very skeptical.
> 
> As I see it, the problems is not at the naming layer
> at which DNS is located where the problem is that of attaching a name 
> to an IP Address. Whatever system is used - bare ipv6-addresses, 
> namecoins, onion domains,… - all these  only give a way to identify 
> agencies in charge of machines. What is important is knowing what
> agencies those are!

DNS is not just for resolving names to IP addresses and such!

DNS is very much also about registries and registrars, and that is where
the rubber (protocol) meets the road (international law).

In fact, purpose, authority, and delegation of authority are the
essential aspects of DNS, not the protocol, not how it's used, not even
the data model.

You could replace the UDP port 53 protocol with a RESTful HTTP JSON API
running of any version of HTTP (including 3), including accessible RDATA
representations (i.e., not binary).  You could even replace all the
RRtypes and RDATA and have only domainnames in common with today's DNS.
That's all a matter of software and schema mapping.  But the one thing
that cannot be anywhere near as easy to replace is the business and
legal ends of it: authority, delegation, registries.  That and
domainnames (because they have bled into the UI/UX).

> What is needed is rich information that ties these ”publication
> machines” to machine readable official information about those
> entities.  This info exists: states put that together to gather taxes,
> provide services, base legal enforcement on it, … 

DNS already has this by way of the registrars, which already have this.

> The web site could link to such official machine readable information
> by using a ”registry” Link relation in an http header.

Whether such metadata should be public or not is a policy matter for
each registry and associated governance framework (i.e., in the
registry's legal jurisdiction(s)).  The IETF should not mandate
publication of that data because publication is a policy matter, and the
IETF has no leverage to impose such a mandate anyways.

Nico
--

v2.23.0 | Report a Bug | By Email