IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Watson Ladd <watsonbladd@gmail.com> Tue, 11 February 2020 16:54 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F06B120164 for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 08:54:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcusokroZ2fq for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 08:54:14 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49BAC120800 for <saag@ietf.org>; Tue, 11 Feb 2020 08:54:14 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id v17so12399859ljg.4 for <saag@ietf.org>; Tue, 11 Feb 2020 08:54:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OS7j0lYoZrNOgArJi7mWlltFOVnHJcIQvkxzfZMcMMg=; b=Jg56IPq+WRPlovRfTwsU0dSuSszV3N7UhP6uolbitZqXU++pbeE1mwRQJkNrZJOB16 SLHNCVUu9XMQCSY5R/JA4SL5fubobKBXrHXGKciOv3mVYElHry8zhFirbIA8TLY0HpP5 xLsTZ+iWehmX1QZwsg/woz7vmtZhtkKIkrTrKKSWtpWjd2iOISF5cQZ+RrG2Hib2D6rw k2lumCKqWXx38ua/poIPf4UDqgJiYEplMTxAAPHfZ7R5F0/T0BfNHpBHRwc4vp/ls5Nw tbEeTtapNmQMJwImub/s1pvP34H4eLfIi3Ot4yH7VYQokLT0ChdDCq5ZeoPNgNvZzyDi hkTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OS7j0lYoZrNOgArJi7mWlltFOVnHJcIQvkxzfZMcMMg=; b=ELvWr68rrHcg4SjB2+5PmC4zlck+uSG9Q1amJOrA3n03IyYuVmriBKLiCdQ2m9kOzP h3KioP3gm84Ur2Kgh8KutHr0ImsV6E/3GCYF0EaE/GjvSXO2DXu5N8gMGaD2iLUcKuBd 7UeAAiNjYx1tvc6kVMRb2zkU/JoUkQE5XOn7GgXbGJFE/GQK4nY8yNr1n6tRnrqRDYXy o6vYbRU458fF+kzKR5x+H8ExKPlEzJ4EgcUZ+PYaVxmjuCdqyq9uXjBMeUwNxZ8ax9Nk Zg1TYiOlH90F80n+lz1KPDETjKv+Q1b9Jv8ccowjcQstURrZ7locXLcvOZKXw5H8Uo3T Lx5A==
X-Gm-Message-State: APjAAAVkAWbuW8tjU4I6KfedyZExZMsK3z0/gJDWnnsi2m0JAhE6fomH rzKEtjt/UEiGnlnHivlAzt85j1C2QQ4UBmbkA8Q=
X-Google-Smtp-Source: APXvYqw7hoh1TNO0jNTqfZXauPoZR+VHVN0+d/A4gan+boLvd4VEGk/oijJArIJiqdDJ+2h10H6T3hlBjf1ozmhdCXA=
X-Received: by 2002:a2e:9256:: with SMTP id v22mr5006440ljg.45.1581440052414; Tue, 11 Feb 2020 08:54:12 -0800 (PST)
MIME-Version: 1.0
References: <157762745765.1150.7880025422884493076@ietfa.amsl.com> <2C5DFA70-AD0E-4139-B28E-2D4EDB6E5409@sinodun.com> <46BDE9EB-6306-4194-AFFA-7E9E6604765F@sinodun.com> <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org> <3643.1581431204@dooku> <a8435b3674ac1a98820e7dd653725613.squirrel@mail2.ihtfp.org> <1fe3db74-061a-d241-b9eb-316d2165307c@netmagic.com>
In-Reply-To: <1fe3db74-061a-d241-b9eb-316d2165307c@netmagic.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 11 Feb 2020 08:54:00 -0800
Message-ID: <CACsn0cn=wk5k3MKT65=km1nxJBw+1H0e+gvAs_4=rhgazODSWA@mail.gmail.com>
To: trutkowski@netmagic.com
Cc: Derek Atkins <derek@ihtfp.com>, Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008ecdae059e4fb4e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/byD7ARzpntPwBkTiOQ5oQZMmTWc>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 16:54:17 -0000

On Tue, Feb 11, 2020, 7:31 AM Tony Rutkowski <trutkowski.netmagic@gmail.com>
wrote:

> Hi Derek,
>
> The market was a minor factor.  PKI invokes more legal and public policy
> considerations than probably any other electronic communication sector.
> It emerged as a governmental platform for trusted identity management
> and was pursued in intergovernmental bodies with links into treaty
> instruments.
>
> The ILPF very quickly came to focus almost exclusively on PKI in work
> led by Stewart Baker who had just left as NSA's GC. Verisign's early
> hire was Michael Baum who as Vice President of Practices and External
> Affairs, helped enable the marketplace by dealing with legal issues, and
> played a major role in getting PKI accepted worldwide. (Acknowledgement:
> I was also a VeriSign VP and a lawyer.)
>
> PKI is a fundamental part of the EU's regional security strategy, as it
> is in most nations.  PKI implementations also dramatically shape
> marketplace competition - a subject now of rather intense scrutiny on
> both sides of the pond - and culpability extends both to individuals and
> standards bodies.
>

Let's actually look at the dominant by order of magnitude application of
the PKI, namely authenticating servers identified by domain names.

The authoritative information is in the DNS. The CA system is only an extra
point of failure here, which is why things like DANE are promising.

None of the extensions like policy mapping etc.  matter.

>
> --tony
>
> On 2020-02-11 9:40 AM, Derek Atkins wrote:
> > On Tue, February 11, 2020 9:26 am, Michael Richardson wrote:
> >> Derek Atkins <derek@ihtfp.com> wrote:
> > [snip]
> >>      > Should this document also include the history of other PKIs,
> such as
> >> SPKI
> >>      > and/or OpenPGP's WoT?  I think it would be interesting to put an
> >>      > historical contrast on the visions behind the various
> >> methods/standards
> >>      > and perhaps try to document the reasons (if possible) that
> "market
> >> forces"
> >>      > took us in one direction vs another.
> >>
> >> Yes, I think that it has to.
> >>
> >> Each evolved either as a response to X509.  Restating 2692/2693 or the
> >> design
> >> requirements for OpenPGP is not called for; distilling what criticism
> were
> >> in
> >> common and why SPKI did not fly is important.  And is there something
> >> technical wrong with OpenPGP, or are we dealing with implementation
> >> issues?
> > My personal opinion is that it was neither a technical issue nor an
> > implementation issue that caused the market to choose X509 vs OpenPGP,
> but
> > rather a philosophical issue (or perhaps business-money-making choices).
> >
> > On the other hand, if we're going to rehash the design requirements for
> > X.509, I think it makes sense to also rehash the differences in
> > requirements for SPKI and OpenPGP (and maybe even DNSSec).  Specifically,
> > it's important to discuss how they differed, but also in what ways they
> > overlapped.  I do agree we don't need to go into the full history of all
> > of them (including X.509).
> >
> > Again, this is just my opinion from someone who was deep in the trenches
> > back in the 1990s.
> >
> > -derek
> >
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email