Re: [saag] post-X509 cryptographic identities

[Henry Story <henry.story@gmail.com>]

> On 13 Feb 2020, at 22:39, Nico Williams <nico@cryptonector.com> wrote:
> 
> On Thu, Feb 13, 2020 at 10:21:05PM +0100, Henry Story wrote:
>>> On 13 Feb 2020, at 21:51, Nico Williams <nico@cryptonector.com> wrote:
>>> DNS is very much also about registries and registrars, and that is where
>>> the rubber (protocol) meets the road (international law).
>> 
>> I have seen no DNS registrar publishing anywhere near the rich type
>> of information currently being published by companyhouse
>> https://www.gov.uk/government/organisations/companies-house 
> 
> They have the information.  Whether or not to publish it is a policy
> decision for the _registries_ and the sovereigns who have jurisdiction
> over them.

Let’s say the company registrars have the information for sure: 
they use it to collect taxes. DNS registrars may or may not be
able to get it, but it’s not as useful to them, they can’t 
use it to get taxes. 
In every country there are government appointed company
registrars that have been doing the job for at least a century.
It is just a question of tying them into the system. That’s 
what linked data is about.

> 
>> That is unlikely to happen either as DNS registrars are not in 
>> the business of describing legal entities, and they would not 
>> want to be liable for that type of information anyway. 
> 
> They could require, at registration time, permission to publish, though
> they almost certainly wouldn't.  They could reserve the right to publish
> it, or share it with researchers -- this most probably do.

See point above about the reason for governments to collect
this information and keep it. It’s very important to the
functioning of the state.

> 
>> On the other hand it is the role of national company registrars,
>> such as companyhouse.gov.uk to provide that.
>> 
>> It depends on what one considers a registrar.
> 
> Yes.
> 
> What's your proposal though?  To have us force them to publish this
> data?  To replace DNS so we can force publication of this data?
> Something else?  I'm confused.

State registrars are already starting to publish this data. I
gave you an example earlier in the thread about CompanyHouse
publishing it in json-ld.

They also have it available in html
https://beta.companieshouse.gov.uk/company/09920845

And you can query it with SPARQL
http://business.data.gov.uk/companies/app/explore/sparql.html

So there is no need to force them to do anything.

What is needed is to get a few of these national registrars to
agree on an ontology, so as to make it valuable for browsers
to get that information and display it in an elegant and
attractive fashion when needed, and for there to be
a way for that to be findable, either from the web site
or through DNS or both or more.

> 
>> It’s a lot easier for state registrars to publish their data
>> in extensible human and machine readable formats such as JSON-LD
>> on HTTPS servers that in DNS. So that’s where it is happening
>> and that’s where I expect it to continue happening.
> 
> Meh.  Either way.
> 
>>> DNS already has this by way of the registrars, which already have this.
>> 
>> Those are just special type of registrars. If you extend your
>> view of registrars, then you will see that what is
>> needed is to tie web sites (via DNS or HTTP headers or X509
>> fields) to those that are ultimately responsible for the rich
>> data that is needed, namely state based company or institution 
>> registrars.
> 
> Who needs that?  The public?  Maybe.  The public needs trust, and that
> could be transitive via the registries.  I don't think the public is
> going to be able to review this metadata anymore than they can review
> PKIX certificate and issuer metadata.  And having this metadata gets us
> no closer to solving the WebPKI problems.

That’s a User Interface issue.
I think it is quite clear that amazing user interfaces can
be built inside browsers.
That these have not been build around X509 is partly to do
with the poverty of the information available in those 
certificates, the static nature of them, the difficulty on
agreeing on OID standards to extend them, etc...

> 
> I'll make an assertion we can debate: it will be easier to earn user
> trust if there's a proper rooted issuer chain mirroring the DNS (i.e.,
> DNSSEC), but even then we'll need better regulation of registries by
> nation states, and of registrars by registries and nation states.

If you include company house they are already regulated, and they
are already publishing. They need to standardize somewhat so
that browsers can more easily consume the information, but that’s
it.

> 
>>> Whether such metadata should be public or not is a policy matter for
>>> each registry and associated governance framework (i.e., in the
>>> registry's legal jurisdiction(s)).  The IETF should not mandate
>>> publication of that data because publication is a policy matter, and the
>>> IETF has no leverage to impose such a mandate anyways.
>> 
>> The IETF like the W3C takes on the role of building spaces for
>> different groups to come to a consensus on some topic of relevance.
>> Improving security on the internet and the web is relevant to both.
>> I guess that the W3C is better equipped to help governments come
>> to consensus with web browsers on ontologies. Nevertheless there
>> would certainly be a role also at the IETF level too. In any case
>> being aware of this possibility could help direct future work here.
> 
> We don't quite have the political reach to solve the legal problems.  We
> can advise nation states.  We can attempt to create a replacement for
> the DNS and once again create monopolistic registries that nation states
> can then choose to regulate.  We probably cannot do much better than
> that.

Or we can do a duck-rabbit trick and see that what we need is right
there emerging in front of our eyes. :-)

> 
> Nico
> --