Re: [saag] post-X509 cryptographic identities

[Henry Story <henry.story@gmail.com>]

> On 13 Feb 2020, at 21:51, Nico Williams <nico@cryptonector.com> wrote:
> 
> On Thu, Feb 13, 2020 at 09:33:47PM +0100, Henry Story wrote:
>>> Yes.  But would any alternative look that different to the current
>>> DNS?  I am very skeptical.
>> 
>> As I see it, the problems is not at the naming layer
>> at which DNS is located where the problem is that of attaching a name 
>> to an IP Address. Whatever system is used - bare ipv6-addresses, 
>> namecoins, onion domains,… - all these  only give a way to identify 
>> agencies in charge of machines. What is important is knowing what
>> agencies those are!
> 
> DNS is not just for resolving names to IP addresses and such!
> 
> DNS is very much also about registries and registrars, and that is where
> the rubber (protocol) meets the road (international law).

I have seen no DNS registrar publishing anywhere near the rich type
of information currently being published by companyhouse
https://www.gov.uk/government/organisations/companies-house 

That is unlikely to happen either as DNS registrars are not in 
the business of describing legal entities, and they would not 
want to be liable for that type of information anyway. 

On the other hand it is the role of national company registrars,
such as companyhouse.gov.uk to provide that.

It depends on what one considers a registrar.

> 
> In fact, purpose, authority, and delegation of authority are the
> essential aspects of DNS, not the protocol, not how it's used, not even
> the data model.
> 
> You could replace the UDP port 53 protocol with a RESTful HTTP JSON API
> running of any version of HTTP (including 3), including accessible RDATA
> representations (i.e., not binary).  You could even replace all the
> RRtypes and RDATA and have only domainnames in common with today's DNS.
> That's all a matter of software and schema mapping.  But the one thing
> that cannot be anywhere near as easy to replace is the business and
> legal ends of it: authority, delegation, registries.  That and
> domainnames (because they have bled into the UI/UX).

It’s a lot easier for state registrars to publish their data
in extensible human and machine readable formats such as JSON-LD
on HTTPS servers that in DNS. So that’s where it is happening
and that’s where I expect it to continue happening.

> 
>> What is needed is rich information that ties these ”publication
>> machines” to machine readable official information about those
>> entities.  This info exists: states put that together to gather taxes,
>> provide services, base legal enforcement on it, … 
> 
> DNS already has this by way of the registrars, which already have this.

Those are just special type of registrars. If you extend your
view of registrars, then you will see that what is
needed is to tie web sites (via DNS or HTTP headers or X509
fields) to those that are ultimately responsible for the rich
data that is needed, namely state based company or institution 
registrars.

> 
>> The web site could link to such official machine readable information
>> by using a ”registry” Link relation in an http header.
> 
> Whether such metadata should be public or not is a policy matter for
> each registry and associated governance framework (i.e., in the
> registry's legal jurisdiction(s)).  The IETF should not mandate
> publication of that data because publication is a policy matter, and the
> IETF has no leverage to impose such a mandate anyways.

The IETF like the W3C takes on the role of building spaces for
different groups to come to a consensus on some topic of relevance.
Improving security on the internet and the web is relevant to both.
I guess that the W3C is better equipped to help governments come
to consensus with web browsers on ontologies. Nevertheless there
would certainly be a role also at the IETF level too. In any case
being aware of this possibility could help direct future work here.

Henry Story
Twitter: bblfish
https://co-operating.systems/


> 
> Nico
> --