Re: [saag] post-X509 cryptographic identities

[Tony Rutkowski <trutkowski.netmagic@gmail.com>]

It is interesting that no one is addressing Bob Kahn's evolving models.  
Bob, after all, approved, paid for, and nurtured DARPA's DNS and BIND 
namespace/platforms. (The BIND part proved serendipitous but ultimately 
critical because some Berkeley grad students needed a funded project.)

In the 1990s, he created the DOI namespace and infrastructure to 
identity and resolve all network based objects with IPR significance.  
He achieved a measure of success by obtaining both government support 
and transferring authority to a nominally global non-profit foundation 
(the International DOI Foundation) while maintaining some continuing 
control of the BIND equivalent. It has been quite successful, and even 
RFCs now have DOIs.

Shortly afterwards, he rolled out Handles as a superstructure for all 
network identifiers.  Success for that namespace and platform proved 
more difficult.  Ultimately he used a combination of intergovernmental 
nexus (ITU-T X.1255) plus treaty conference resolutions - combined with 
a slightly more independent global non-profit foundation based in Geneva 
(the DONA Foundation).  The success has proven more elusive, even as 
some nations have considered it as an alternative/backup for DNS, and in 
theory solves the meta-identifier problem that will get more vexing as 
object namespaces proliferate.

Views?

--tony


On 2020-02-13 5:12 PM, Henry Story wrote:
>
>> On 13 Feb 2020, at 22:39, Nico Williams <nico@cryptonector.com> wrote:
>>
>> On Thu, Feb 13, 2020 at 10:21:05PM +0100, Henry Story wrote:
>>>> On 13 Feb 2020, at 21:51, Nico Williams <nico@cryptonector.com> wrote:
>>>> DNS is very much also about registries and registrars, and that is where
>>>> the rubber (protocol) meets the road (international law).
>>> I have seen no DNS registrar publishing anywhere near the rich type
>>> of information currently being published by companyhouse
>>> https://www.gov.uk/government/organisations/companies-house
>> They have the information.  Whether or not to publish it is a policy
>> decision for the _registries_ and the sovereigns who have jurisdiction
>> over them.
> Let’s say the company registrars have the information for sure:
> they use it to collect taxes. DNS registrars may or may not be
> able to get it, but it’s not as useful to them, they can’t
> use it to get taxes.
> In every country there are government appointed company
> registrars that have been doing the job for at least a century.
> It is just a question of tying them into the system. That’s
> what linked data is about.
>
>>> That is unlikely to happen either as DNS registrars are not in
>>> the business of describing legal entities, and they would not
>>> want to be liable for that type of information anyway.
>> They could require, at registration time, permission to publish, though
>> they almost certainly wouldn't.  They could reserve the right to publish
>> it, or share it with researchers -- this most probably do.
> See point above about the reason for governments to collect
> this information and keep it. It’s very important to the
> functioning of the state.
>
>>> On the other hand it is the role of national company registrars,
>>> such as companyhouse.gov.uk to provide that.
>>>
>>> It depends on what one considers a registrar.
>> Yes.
>>
>> What's your proposal though?  To have us force them to publish this
>> data?  To replace DNS so we can force publication of this data?
>> Something else?  I'm confused.
> State registrars are already starting to publish this data. I
> gave you an example earlier in the thread about CompanyHouse
> publishing it in json-ld.
>
> They also have it available in html
> https://beta.companieshouse.gov.uk/company/09920845
>
> And you can query it with SPARQL
> http://business.data.gov.uk/companies/app/explore/sparql.html
>
> So there is no need to force them to do anything.
>
> What is needed is to get a few of these national registrars to
> agree on an ontology, so as to make it valuable for browsers
> to get that information and display it in an elegant and
> attractive fashion when needed, and for there to be
> a way for that to be findable, either from the web site
> or through DNS or both or more.
>
>>> It’s a lot easier for state registrars to publish their data
>>> in extensible human and machine readable formats such as JSON-LD
>>> on HTTPS servers that in DNS. So that’s where it is happening
>>> and that’s where I expect it to continue happening.
>> Meh.  Either way.
>>
>>>> DNS already has this by way of the registrars, which already have this.
>>> Those are just special type of registrars. If you extend your
>>> view of registrars, then you will see that what is
>>> needed is to tie web sites (via DNS or HTTP headers or X509
>>> fields) to those that are ultimately responsible for the rich
>>> data that is needed, namely state based company or institution
>>> registrars.
>> Who needs that?  The public?  Maybe.  The public needs trust, and that
>> could be transitive via the registries.  I don't think the public is
>> going to be able to review this metadata anymore than they can review
>> PKIX certificate and issuer metadata.  And having this metadata gets us
>> no closer to solving the WebPKI problems.
> That’s a User Interface issue.
> I think it is quite clear that amazing user interfaces can
> be built inside browsers.
> That these have not been build around X509 is partly to do
> with the poverty of the information available in those
> certificates, the static nature of them, the difficulty on
> agreeing on OID standards to extend them, etc...
>
>> I'll make an assertion we can debate: it will be easier to earn user
>> trust if there's a proper rooted issuer chain mirroring the DNS (i.e.,
>> DNSSEC), but even then we'll need better regulation of registries by
>> nation states, and of registrars by registries and nation states.
> If you include company house they are already regulated, and they
> are already publishing. They need to standardize somewhat so
> that browsers can more easily consume the information, but that’s
> it.
>
>>>> Whether such metadata should be public or not is a policy matter for
>>>> each registry and associated governance framework (i.e., in the
>>>> registry's legal jurisdiction(s)).  The IETF should not mandate
>>>> publication of that data because publication is a policy matter, and the
>>>> IETF has no leverage to impose such a mandate anyways.
>>> The IETF like the W3C takes on the role of building spaces for
>>> different groups to come to a consensus on some topic of relevance.
>>> Improving security on the internet and the web is relevant to both.
>>> I guess that the W3C is better equipped to help governments come
>>> to consensus with web browsers on ontologies. Nevertheless there
>>> would certainly be a role also at the IETF level too. In any case
>>> being aware of this possibility could help direct future work here.
>> We don't quite have the political reach to solve the legal problems.  We
>> can advise nation states.  We can attempt to create a replacement for
>> the DNS and once again create monopolistic registries that nation states
>> can then choose to regulate.  We probably cannot do much better than
>> that.
> Or we can do a duck-rabbit trick and see that what we need is right
> there emerging in front of our eyes. :-)
>
>> Nico
>> --