IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Henry Story <henry.story@gmail.com> Tue, 11 February 2020 22:50 UTC

Return-Path: <henry.story@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2C9F120180 for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 14:50:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS3hxDuOoFwG for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 14:50:40 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DEAA120018 for <saag@ietf.org>; Tue, 11 Feb 2020 14:50:40 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id p9so5816934wmc.2 for <saag@ietf.org>; Tue, 11 Feb 2020 14:50:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1hL8JFbIAKL08TKHRqNg31v/iWSFsHmZbKbU6kL/+Kw=; b=tNoKeurUVeQy8dPPOop7t00POwwJBCMpBDV4zLRb5eSfbHgp0HNfLojIEXMZQWNgi1 PDYDeXFgVwVmMZCQ+srMr5uiSbX/eFMbkCn9gKUfNvb4W19fFN+v8wyBwJ3HJ2IsZOhp TbzWQwQWq2NMuBZIpgw1FMHtLHGAHQxc038MstACWHjcSs9BuKQYv9/ZRHSv2CJS9OTp aemlidVJ4aMK2U/jy/XKctc11g87u3MccUSlTsGpX4ErEMI2wNeRbzhlZXFgopbRWzY/ bpmdB3+IhkP1PNKzicssT+fgc3cByT92x0UhCMOej8K7umNf0MKC/ZWEuJKZJTH0z9Zp Zasw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1hL8JFbIAKL08TKHRqNg31v/iWSFsHmZbKbU6kL/+Kw=; b=DnXkkBArecu6O1uR40z5RMK6dJjCF/maQY2jO7QL8HxmyGm2IfV+m1RGhIC/KA+RP6 BjuQ5dR2N2R7ibNVb41HTmYFIkchrDSC16qBex2rAwZ9eE9b7+EKTHHDV3sNk3Abg9vB 2TpP2DAnz2LtfnUjS56zLzWpYWuJsfdrcZnm6lbCFM3PBk1EdMPwdO1qTuSdYW5Xlfws fIWdpgMg7d2PpiVrc061N+nSSnLMD8b/l3ENiBO6rpMwHlOVsTYHhgWlAtMi3LbYUwbB XlyEfg56BMhwh6OVtzMYgoPIKzTcO13TQkf4U9sc+gE+dkkeN5kfCfJpqvDCdcJjlQZy lBjw==
X-Gm-Message-State: APjAAAUO52/0h7z6LmoTIqg1apL6wqV7I6KFyVvkC8R6cEdQFk33AGgZ jsfwD+IUPXGBSZ69JJ7VWLcN5bEosWU=
X-Google-Smtp-Source: APXvYqzk+QC9uB5EQtfvdhYsX7Cv0NyeX9KJxPKLS0c58E0rhGuvlicACq5b9xJyEuSMreHrYcg5Ow==
X-Received: by 2002:a1c:6a16:: with SMTP id f22mr8008341wmc.53.1581461438636; Tue, 11 Feb 2020 14:50:38 -0800 (PST)
Received: from ?IPv6:2a02:810d:140:c5a:a8a0:c946:4242:ec9a? ([2a02:810d:140:c5a:a8a0:c946:4242:ec9a]) by smtp.gmail.com with ESMTPSA id r6sm7235929wrq.92.2020.02.11.14.50.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Feb 2020 14:50:38 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Henry Story <henry.story@gmail.com>
X-Priority: 3 (Normal)
In-Reply-To: <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org>
Date: Tue, 11 Feb 2020 23:50:36 +0100
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <744D4D89-AFE2-4AA3-B0F6-24E7A9850F76@gmail.com>
References: <157762745765.1150.7880025422884493076@ietfa.amsl.com> <2C5DFA70-AD0E-4139-B28E-2D4EDB6E5409@sinodun.com> <46BDE9EB-6306-4194-AFFA-7E9E6604765F@sinodun.com> <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org>
To: Derek Atkins <derek@ihtfp.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/gtXRA6YuKizJ1PEEaB-hfNA2OSU>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 22:50:43 -0000


> On 11 Feb 2020, at 14:30, Derek Atkins <derek@ihtfp.com> wrote:
> 
> 
> On Tue, February 11, 2020 5:55 am, Michael Richardson wrote:
>> 
> [snip]
>> I think that the document would say a series of things:
>>  The designers of X500/X509 intended X, but it turned out that this
>>  did not happen, and instead PKIX did Y.
>> 
>> (One could substitute X=DN, Y=SAN for instance)
>> 
>> I think that it is important for any new identity system to recognize what
>> forces pushed us away from the original vision.
>> We made engineering tradeoffs based upon time, code, bandwidth,
>> round-trips
>> and threats.   Not every such decision is still justified.
>> 
>> So this requirements document would essentially be some kind of loving
>> criticism.
> 
> Should this document also include the history of other PKIs, such as SPKI
> and/or OpenPGP's WoT?  I think it would be interesting to put an
> historical contrast on the visions behind the various methods/standards
> and perhaps try to document the reasons (if possible) that "market forces"
> took us in one direction vs another.

After my intervention in this thread earlier today on the importance
of the relation of data and naming, it occurred to me that the
early X509 standards where bound to a data protocol X500, which later lead
to LDAP. (I don’t know this story in detail but I am sure many
here could write books about it). The important thing then is that 
it could be argued that the architecture of naming made sense when complemented with a system for tying identities to richer data. 
As these protocols failed to function at global scale one was left 
only with only identity/reference working.

I claim that Data should be thought of as putting things into relation 
to one another. If I can invoke some mathematics here, a very 
clear way of presenting databases in Category Theory developed 
by Spivak at MIT is as a functor from of a small category (the schema)
onto the category Set. See the very clearly written
  ”Functorial Data Migration”
https://arxiv.org/abs/1009.1166

Now a key concept in this view is that of a Grothendieck construction,
which is a category that arises out of a database instance (i.e. such
a Functor) by flattening the schema and the data together.
This is explained in that article in a few short paragraphs. 
In later work they use this construction  in order to give a mathematical model of how DB queries work. 

Spikvak in that article see this as being the structure behind RDF, 
the semantic web standard developed at W3C, though it turns out that 
this works better when instead of using a functor to Set one works with 
functors from bicategory of Relations to the category Rel of sets and relations. (shown in a recent article)
https://arxiv.org/abs/1706.00526

There is thus some deep mathematical reasons to think that the 
structures behind the Semantic Web project are the right ones
to build databases. Furthermore it was designed
to work in decentralised systems that use all the protocols developed
here at the IETF. So the analysis of data as relational, 
and their tie to identity (each name being an identifier) 
and the need for both to work together, shows it seems to me, that
in order to fulfill the original vision of X509, one should
perhaps help oneself of the 20 years of work done at W3C,
and in universities across the world.


Henry
@bblfish



> 
> -derek
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email