IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Nico Williams <nico@cryptonector.com> Thu, 13 February 2020 22:20 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B197120096 for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 14:20:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9vhtx31tEDA for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 14:20:25 -0800 (PST)
Received: from bumble.birch.relay.mailchannels.net (bumble.birch.relay.mailchannels.net [23.83.209.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8192312026E for <saag@ietf.org>; Thu, 13 Feb 2020 14:20:25 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id ABBC8121120; Thu, 13 Feb 2020 22:20:24 +0000 (UTC)
Received: from pdx1-sub0-mail-a6.g.dreamhost.com (100-96-17-7.trex.outbound.svc.cluster.local [100.96.17.7]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 2849C120C8F; Thu, 13 Feb 2020 22:20:24 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a6.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 13 Feb 2020 22:20:24 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Callous-Occur: 1b0bca964ee1f493_1581632424466_966521258
X-MC-Loop-Signature: 1581632424465:2406347648
X-MC-Ingress-Time: 1581632424465
Received: from pdx1-sub0-mail-a6.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a6.g.dreamhost.com (Postfix) with ESMTP id 4FA337F0E9; Thu, 13 Feb 2020 14:20:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=UtpmoXCeobVsHqhLdVt51xna22Q=; b=bBvC8wDvK/m fhrn9k/ubaJ8KN+q5r8FZxs4wR7EFKUujX5gRCaBHkYR0o62O+qD4rh5vBt5hrod rwS8cFZwOW/Tp60A8c/+x28yUPUCgTcYHRDBC5MesjaAlhcS7lrascv7mdWxi3Wk /z8ZpJkX2GmRG+LEIVBI2kHaZEo7uefk=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a6.g.dreamhost.com (Postfix) with ESMTPSA id 103097E5E1; Thu, 13 Feb 2020 14:20:17 -0800 (PST)
Date: Thu, 13 Feb 2020 16:20:15 -0600
X-DH-BACKEND: pdx1-sub0-mail-a6
From: Nico Williams <nico@cryptonector.com>
To: trutkowski@netmagic.com
Cc: Henry Story <henry.story@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Message-ID: <20200213222012.GV18021@localhost>
References: <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com> <20200213175626.GR18021@localhost> <65357327-e2d7-89cc-221e-ed8ac2875048@netmagic.com> <A91F5BD6-BFBA-4BA7-9158-3F41A8F0F7D9@gmail.com> <20200213191952.GS18021@localhost> <9FEBBD2A-3578-436A-92E3-192CADC9FA8B@gmail.com> <20200213205158.GT18021@localhost> <43D1454A-C1DD-4742-A14C-F608F296208C@gmail.com> <20200213213953.GU18021@localhost> <8390efa4-a212-f0ee-d78e-8e997242d72a@netmagic.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <8390efa4-a212-f0ee-d78e-8e997242d72a@netmagic.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieekgdduieduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtugfgjggfsehtkeertddtredunecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/KJigI6zfjv9K1koK-v9VIIOaS-Y>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 22:20:27 -0000

On Thu, Feb 13, 2020 at 05:02:16PM -0500, Tony Rutkowski wrote:
> All important electrical communication identifier systems invariably end up
> at the point of nation state regulation. Consider what is occurring now with
> telephone CallerID which went through a full cycle of regulation to
> deregulation to re-regulation.  There are several compelling bases.  On one
> side, nation states have sovereign jurisdiction over all communication
> within their geospatial boundaries and assert it for a swath of national
> security and law enforcement reasons.  On the other, the providers seek
> indemnification (antitrust and tort) and the end users an expectation of
> trust and consumer protection.  Consider it a recognition of relevance.
> 
> The DARPA DNS itself went through a cycle of strong government regulation to
> deregulation to Ira Magaziner's scheme for healthcare governance (a/k/a
> ICANN) and now likely to re-regulation or irrelevance.

I am in full agreement.

It is fair to predict that anything new that might replace WebPKI or DNS
will have to deal with regulation of registries eventually, and should
be designed with it in mind.

I'm just quite skeptical that the DNS could be replaced.  The protocol,
perhaps, some of the details, sure, but domainnames?  the registries?
nah.  Anything new will have to be in-addition-to DNS for a long time,
or bolted-onto DNS (e.g., DANE).

Back to Henry S.'s call for more public metadata...  More metadata
doesn't help the user.  E.g., when I need some less-well-known app from
an app store, I often find apparent dups by different vendors, and it's
hard to tell which one is legitimate if any, and the vendor names
(metadata) often don't help in the least because they are obscure enough
that the user can't really do anything with them -- the user is entirely
at the mercy of the curators, and the curators are obviously not doing a
good enough job.  Requiring more public metadata may not help at all,
not without lots more regulation and off-line authentication of said
metadata, with attendant problems.

PS: The telephone system has the great misfortune of being stuck with
    SS7; the DNS is ahead on security.

v2.23.0 | Report a Bug | By Email