Re: [saag] post-X509 cryptographic identities
Tony Rutkowski <trutkowski.netmagic@gmail.com> Tue, 11 February 2020 14:57 UTC
Return-Path: <trutkowski.netmagic@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F059120033 for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 06:57:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CScK6PtQB3Hk for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 06:57:37 -0800 (PST)
Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78D17120122 for <saag@ietf.org>; Tue, 11 Feb 2020 06:57:37 -0800 (PST)
Received: by mail-qk1-x743.google.com with SMTP id d11so10302055qko.8 for <saag@ietf.org>; Tue, 11 Feb 2020 06:57:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:reply-to:subject:to:cc:references:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=IsZzwylNTs4PFHblFgMxJjqYg2vxYHsmi3Dpo990EmA=; b=qFjFjdpmxziN5/3pjWMIEPyvB5/KNmi9z/8TJpn4k7Pj7sKAM6dM7NHCSB6XzICbwp pukjaud0T4Njzc+dEt+HnCkwq1Vh5F2F7RVyCsuy6+ME72voWMpyiPwYYMYJUOsg9Dh5 KXzrHDaEZhY1WyubiKtbvdpaS4vUvxd9Ao0uORKI2NwB3K1DYHensQSMEtOUfL6QZAB3 uh9Ay72OjkV0str/KSxdlganUnO6yXIGYOlnqnUJr3WiMP7hs44LxScpZr75vBqvm2pB tmE5sjqU4KpZ0khveMD8TtCH7k/HlTXz45kpOqtOnZOogFhKf3ppIZZqmdCtQi2b2J8N hZmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:reply-to:subject:to:cc:references :organization:message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding:content-language; bh=IsZzwylNTs4PFHblFgMxJjqYg2vxYHsmi3Dpo990EmA=; b=XH6WukCpASCSYpjmM9qQduWu94edNufhBbOrF3jy/SQOwQrfkZardX1FuOKaYFoilZ TqOwx2xndPUAhoxNePEkm90OuPO38oADXdf33dcVZrA2ZxXKiDshqXrE9A4pWcztggNX Ob/FHKL4AXEogbwXPkCYJeBpYbddutr0P9fTQV7j0JVJzQGtBWeveH+75dc7GQEgslYM yWGMpQ6Q4445SvJElN5qAGIGdQTCxtaw16a6kfY33nVqoMRmQj+CXtNm4OEjCQxlkWlI /I8yEwrh7ZfEQdCXeNYEbh6PpN2gOn7YqCEQ1UpFmkn6IIF+TvrZw//u7hFpSI6cXPSx tOlQ==
X-Gm-Message-State: APjAAAW7DTivRcMf8fvtWNFOQKa4QPMyrnfuHJWPRLTwXWZUo8ITIyzW bM9nvnpsCVvYkol16fy4yxo=
X-Google-Smtp-Source: APXvYqyG7dU4a8wUs8yH78PI2dfxSPu8Oe9Jq4teUAY8jNOyqPQ2HGZV+vR5GYKwOTk2Wno1hhgi+g==
X-Received: by 2002:a37:7d01:: with SMTP id y1mr6662450qkc.452.1581433056303; Tue, 11 Feb 2020 06:57:36 -0800 (PST)
Received: from [192.168.1.53] (pool-70-106-222-98.clppva.fios.verizon.net. [70.106.222.98]) by smtp.gmail.com with ESMTPSA id d71sm2129638qkg.4.2020.02.11.06.57.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 11 Feb 2020 06:57:35 -0800 (PST)
From: Tony Rutkowski <trutkowski.netmagic@gmail.com>
X-Google-Original-From: Tony Rutkowski <trutkowski@netmagic.com>
Reply-To: trutkowski@netmagic.com
To: Derek Atkins <derek@ihtfp.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: saag@ietf.org, era@x500.eu, jean-paul.lemaire@univ-paris-diderot.fr, Arnaud Taddei <arnaud.taddei@broadcom.com>
References: <157762745765.1150.7880025422884493076@ietfa.amsl.com> <2C5DFA70-AD0E-4139-B28E-2D4EDB6E5409@sinodun.com> <46BDE9EB-6306-4194-AFFA-7E9E6604765F@sinodun.com> <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org>
Organization: Netmagic Associates LLC
Message-ID: <7dba0cd7-5b80-a80d-22ce-954baf7d293b@netmagic.com>
Date: Tue, 11 Feb 2020 09:57:35 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ZyQZ2cJopgdeIcNJK3Zb019QzM8>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 14:57:40 -0000
The earliest public description of PKI development and objectives can be found in the seminal paper presented by Ruth Nelson in 1987. See Ruth Nelson, SDNS Services and Architecture, 10th National Computer Security Conference Proceedings, Sept 1987. https://csrc.nist.gov/publications/detail/conference-paper/1987/09/21/proceedings-10th-national-computer-security-conference-1987 The specification first appeared in the 1988 CCITT (now ITU-T) Blue Book where it was entitled "The Directory - Authentication Framework," in conjunction with the OSI internet ensemble of protocols. https://www.itu.int/itu-t/recommendations/rec.aspx?rec=14033 That was followed in 1990 by its treatment by NIST as part of the GOSIP profiles. See NISTIR 90-4250, Secure Data Network System (SDNS) Network, Transport, and Message Security Protocols, https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir90-4250.pdf Shortly afterwards, in 1992, the original 1988 guide for X.509 implementations was revised. See ITU-T F.500 (08/1992), International public directory services https://www.itu.int/itu-t/recommendations/rec.aspx?rec=676 ITU-T X.530 (11/2008), Information technology – Open Systems Interconnection – The Directory: Use of systems management for administration of the Directory, https://www.itu.int/itu-t/recommendations/rec.aspx?rec=9601 Today, responsibility for X.509 remains with its longtime editor, Erik Andersen, who with Jean-Paul Lemaire is working on an updade on implementations. They can speak to their efforts to evolve the specification and use. These include two work items: X.pki-em, Public-key infrastructure: Establishment and maintenance, https://www.itu.int/itu-t/workprog/wp_item.aspx?isn=13536 X.509prot, Protocol specifications for public-key infrastructure and privilege management infrastructure https://www.itu.int/itu-t/workprog/wp_item.aspx?isn=14393 The legal and public policy issues were extensively treated and developed to further the PKI industry through the International Law and Policy Forum (ILPF) which was established in the early 1990s and quickly evolved to focus on PKI provisioning. The ILPF was modeled after the IETF to treat legal matters. The IETF's involvement in the space was facilitated by the Internet Society purchasing considerable liability insurance in the early 1990s. Collaboration on PKI implementations invokes rather considerable potential antitrust and tort liability culpability - which is why the ITU-T remains the principal responsible body. You might wish to collaborate with others dealing with these matters in ITU-T SG17 Q11/17 led by Jean-Paul, and the X.509 Editor, Erik Andersen. --tony r On 2020-02-11 8:30 AM, Derek Atkins wrote: > On Tue, February 11, 2020 5:55 am, Michael Richardson wrote: > [snip] >> I think that the document would say a series of things: >> The designers of X500/X509 intended X, but it turned out that this >> did not happen, and instead PKIX did Y. >> >> (One could substitute X=DN, Y=SAN for instance) >> >> I think that it is important for any new identity system to recognize what >> forces pushed us away from the original vision. >> We made engineering tradeoffs based upon time, code, bandwidth, >> round-trips >> and threats. Not every such decision is still justified. >> >> So this requirements document would essentially be some kind of loving >> criticism. > Should this document also include the history of other PKIs, such as SPKI > and/or OpenPGP's WoT? I think it would be interesting to put an > historical contrast on the visions behind the various methods/standards > and perhaps try to document the reasons (if possible) that "market forces" > took us in one direction vs another. > > -derek
- [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Derek Atkins
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Derek Atkins
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Watson Ladd
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Stephen Farrell
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Eric Rescorla
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Stephen Farrell
- Re: [saag] post-X509 cryptographic identities Eric Rescorla
- Re: [saag] post-X509 cryptographic identities Stephen Farrell
- Re: [saag] post-X509 cryptographic identities Eric Rescorla
- Re: [saag] post-X509 cryptographic identities Stephen Farrell
- Re: [saag] post-X509 cryptographic identities Eric Rescorla
- Re: [saag] post-X509 cryptographic identities Stephen Farrell
- Re: [saag] post-X509 cryptographic identities Peter Gutmann
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Tony Finch
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Watson Ladd
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Phillip Hallam-Baker
- Re: [saag] post-X509 cryptographic identities Phillip Hallam-Baker
- Re: [saag] post-X509 cryptographic identities Tony Rutkowski
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Phillip Hallam-Baker
- Re: [saag] post-X509 cryptographic identities Phillip Hallam-Baker
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Henry Story
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Michael Richardson
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Viktor Dukhovni
- Re: [saag] post-X509 cryptographic identities Nico Williams
- Re: [saag] post-X509 cryptographic identities Tony Finch
- Re: [saag] post-X509 cryptographic identities Michael Richardson