Re: [saag] Direct trust between users
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 25 April 2019 20:44 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F4C1200CE for <saag@ietfa.amsl.com>; Thu, 25 Apr 2019 13:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fbt-_zrWWAGh for <saag@ietfa.amsl.com>; Thu, 25 Apr 2019 13:44:27 -0700 (PDT)
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A99B5120052 for <saag@ietf.org>; Thu, 25 Apr 2019 13:44:27 -0700 (PDT)
Received: by mail-ot1-f51.google.com with SMTP id w6so747577otl.7 for <saag@ietf.org>; Thu, 25 Apr 2019 13:44:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LniILJV1EgRCCTil6vxytJghVeyTEg3LyAAuM7PhzQs=; b=JsOWFRa1MtDqMCFjladE9z+VEQdhp6X1uuhiXVxD6QAE1P3WJeBWDvx3vKYR/ZWApN fBpXGy2QpF1tu4T2bdDWMzKr5kq20phOoXz8dWR/CHwhTzDIO5NWxn3sX24Z6p3iFblY AxjfAtTdvNchOi5njxO+Fw5woCvR+d+zumz8aEaY9kOvx2WfBJXKivOHIORFce8fKInz KxwO9H3kvDsNfAjVkYYylTRm3w9OQ0tuuchXN0C8RgrdKUcxDl5gef7clUeGnJuA6Xy1 NLg52EbMEDV4WZ9fQXeg8qHml17Pt1d/RPpBxa+SocB5qxfWwicvAfUpN3SnVnbKoNvF bRyA==
X-Gm-Message-State: APjAAAXf6NuyJvSssbCOoPqqlNyca2xh+m+1cIIgu0LPVTlOveym3z0W IGa3ZZN1gRtGD6T99goU7m5JOy1zoBfgzwQAQFY=
X-Google-Smtp-Source: APXvYqxFI+b9mQnWK+hdPQh274uEO3kjVF7ChBFe5nEl0BxorY0tHrihajRwlyjY1hdODO1JWDOx4akMG4RJs73VmRw=
X-Received: by 2002:a9d:5a11:: with SMTP id v17mr25176253oth.150.1556225066904; Thu, 25 Apr 2019 13:44:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwheS8mP8guk4++VNSfcp19kqcOZLxCHaV0=F02xyc7Aow@mail.gmail.com> <20190424182641.GL3137@localhost> <CAMm+LwjAPOf9eW9kpHfh=4MmSYLciHBJ4g2Kr32bkejpsdf3Xw@mail.gmail.com> <20190424233338.GP3137@localhost> <16119.1556207291@dooku.sandelman.ca>
In-Reply-To: <16119.1556207291@dooku.sandelman.ca>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 25 Apr 2019 16:44:15 -0400
Message-ID: <CAMm+Lwji0P=o+WzMOTr4ZbYDsiSUvt7evhgz-sPkPxQhdS_6pQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Nico Williams <nico@cryptonector.com>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004db0de058760e2b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/DsfLQS4tUA80VNKdzC-00cyHxAs>
Subject: Re: [saag] Direct trust between users
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 20:44:30 -0000
On Thu, Apr 25, 2019 at 11:48 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Nico Williams <nico@cryptonector.com> wrote: > > Long long ago I used to imagine the U.S. postal service selling what > > you might call EV user certificates: after all, there are post > offices > > everywhere and their staff are trained in validating > government-issued > > IDs, often they're even notaries public! I supposed one might even > be > > able to get attribute certs attesting that the holder of the key is, > > e.g., a citizen, or over 18 years of age. > > Canada Post had a key in the browser list for a decade or so, and there was > some project with Entrust to do something, but I don't think it ever > happened. > The US Post office had a series of proposed schemes as well. None of them ever got anywhere because we poached their staff as fast as they could train them. Every 18 months some political appointee would attempt to start some information superhighway effort. A team would be staffed up in the USPO and learn about PKI. About twelve months in, they would be all nicely trained up and we would show up and offer double their salary plus stock. I also don't understand why I have a scanned PDF from ic.gc.ca as a > corporate > identity, and not a PKIX certificate. They've had all the software to the > PKIX key for 20+ years. > Yeah, sorry 'bout that. > The post-office is unique in that it can get a letter to many people within > 24h, rather cheaply, and I keep thinking that this is a better 2FA (or > 3FA) for > account recovery. > There is a classical problem called the innovator's dilemma that actually mitigates against realizing such efficiencies. > Upside: you won't need to train their employees in how to validate > IDs. > > Downside: risks being more of a political than business relationship. > > Maybe Amazon has the clout with the Post Office to make that happen :-) > [I say with only half tongue-in-cheek] > "Alexa, please renew my certificates" > It could be made to happen. But the way to make it happen would be to design a system that is capable of 1) Solving a very small stand alone problem by itself 2) Application to problems of arbitrary size. I am just writing my submission to the deployment workshop (which I wont be able to attend but thought I would submit to anyway). The paper describes the approaches we took in the Web. People think we just sat in our offices at CERN and waited for the Web to take off. We didn't we were busy pushing it as hard as we could long after the Web was a success. One of my big fears was that the press that had been building us up for so long would decide it was time to try and take us down. They did - see the Time-Warner 'Cyberporn' article.
- [saag] Direct trust between users Phillip Hallam-Baker
- Re: [saag] Direct trust between users Nico Williams
- Re: [saag] Direct trust between users Phillip Hallam-Baker
- Re: [saag] Direct trust between users Nico Williams
- Re: [saag] Direct trust between users Stephen Farrell
- Re: [saag] Direct trust between users Phillip Hallam-Baker
- Re: [saag] Direct trust between users Stephen Farrell
- Re: [saag] Direct trust between users Michael Richardson
- Re: [saag] Direct trust between users Phillip Hallam-Baker
- Re: [saag] Direct trust between users Nico Williams
- Re: [saag] Direct trust between users Phillip Hallam-Baker
- Re: [saag] Direct trust between users Ben Laurie
- Re: [saag] Direct trust between users Ben Laurie
- Re: [saag] Direct trust between users Phillip Hallam-Baker