IETF Logo Mail Archive

[saag] post-X509 cryptographic identities

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 11 February 2020 10:55 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E92512008B for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 02:55:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.5
X-Spam-Level: **
X-Spam-Status: No, score=2.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkB41FivR73p for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 02:55:19 -0800 (PST)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4724D12007C for <saag@ietf.org>; Tue, 11 Feb 2020 02:55:19 -0800 (PST)
Received: from dooku.sandelman.ca (ip5f5bd76d.dynamic.kabel-deutschland.de [95.91.215.109]) by relay.sandelman.ca (Postfix) with ESMTPS id 7DAE21F459; Tue, 11 Feb 2020 10:55:17 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 0B42A1A1478; Tue, 11 Feb 2020 11:55:16 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, saag@ietf.org
In-reply-to: <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie>
References: <157762745765.1150.7880025422884493076@ietfa.amsl.com> <2C5DFA70-AD0E-4139-B28E-2D4EDB6E5409@sinodun.com> <46BDE9EB-6306-4194-AFFA-7E9E6604765F@sinodun.com> <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie>
Comments: In-reply-to Stephen Farrell <stephen.farrell@cs.tcd.ie> message dated "Tue, 11 Feb 2020 03:39:41 +0000."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 11 Feb 2020 11:55:16 +0100
Message-ID: <26497.1581418516@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/WrqaB8UW-YgGH2k04rx8nh7jINI>
Subject: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 10:55:20 -0000

Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote in a IETF-last call thread:
    > Anyway overall I take this as more evidence that
    > x.509-based pki has outlived it's useful lifetime.
    > Given the webpki needs CT (which it totally does)
    > and now maybe novel revocation mechanisms like this,
    > (as well as soon-to-be PQ schemes if we believe
    > what people tell us), I'd argue it may well be time
    > to try see if there's any consensus on a post-x.509
    > direction towards which to head.

I agree with you strongly.
A centralized, single CRL from the single global PKI was certainly among the
original ideas envisioned.
Then we decentralized the PKI, add CT and added OCSP.

Now we are unifying again :-)
Mozilla could, for instance, create a new higher-level CA, sign all of the
existing trust anchors they ship, and effectively be back at X509.

----

While I am generally not in favour of extensive requirements processes, I
think that this does merit it.   Including publishing the document as
RF*Comments*, and seeking comments widely from other parties.

I am sure that mathmesh fits in here.

I think that the document needs to semi-biographical (or whatever the word is
for a history of thing).
{a creative author could write this in the first person: memoirs of X509}

I think that the document would say a series of things:
  The designers of X500/X509 intended X, but it turned out that this
  did not happen, and instead PKIX did Y.

(One could substitute X=DN, Y=SAN for instance)

I think that it is important for any new identity system to recognize what
forces pushed us away from the original vision.
We made engineering tradeoffs based upon time, code, bandwidth, round-trips
and threats.   Not every such decision is still justified.

So this requirements document would essentially be some kind of loving
criticism.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email