IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Watson Ladd <watsonbladd@gmail.com> Fri, 14 February 2020 15:33 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1615E1200F9 for <saag@ietfa.amsl.com>; Fri, 14 Feb 2020 07:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFgskiYEsnLd for <saag@ietfa.amsl.com>; Fri, 14 Feb 2020 07:33:28 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530641200F1 for <saag@ietf.org>; Fri, 14 Feb 2020 07:33:28 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id v17so11207985ljg.4 for <saag@ietf.org>; Fri, 14 Feb 2020 07:33:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sYDoMO1g1Z/G6VC8YX1CFci+/pKFH4Zixus6qstfR8A=; b=EJ9cPKXbAKDJed+O7ZFOsMMUzZf3P93JgbECUrnpV3DLqJ0wNmbENWegphG7qKiLuS eFVHAAiNw1XQyueahJhR0Re37QlBA+jYPzZRAYi0s/CMPqgQYVKnqywODXyLpxzlLaRy 9hzP9e0xtmm4zAb6+tpGoyZ4y1U7kaUo0LvKQE5ggMfJXkBhq250GOZJLgBINqMgZxLn vtv7HifANMnB0UjxmT7bapZ0Fuz9M7mRsbkoPGYPXHiUHYjFWPYdHx59BVUEZnC5+Tr0 r6/2zLPbFtUxrDZLrFvH0QN5MTZiCGtADyAHdlQUIPzgQ6X0d3KcEPVBGxgy88+uKdwp TTMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sYDoMO1g1Z/G6VC8YX1CFci+/pKFH4Zixus6qstfR8A=; b=BzBYEf1xm3Ovo5fsXtJZQLKgmElCnLWsLkjAB0V3NMJ+ZiFAwmKPITl4nXGA7etFMH dokNdLUusN4Tdl06o8v9KYaLNYfCbhKuyHsyYwPlLr1xfDDep90ehJGJP2LsHYn5XjjZ YczaUtNfQtYbWLq7g94dbF0c1P4mI91Xdu/7UrteQQibATSTdaybZy29NErqLSJJwVx9 5ukDHhiPhmoEi+RxZUGxN6TMtzo+gxp2ClV21Y7WJWF48qlElXhmWLK8a35J8sBUPXrX d/PASsBPHdaZ5GsxWyenvHPijo6kiYVZjyqJNXMNMzZ/JL/McpIHDUp66jpgu76dJcuJ qwIg==
X-Gm-Message-State: APjAAAVN4qS314P5T8drPHowTxG/J9aUOzmZqjLguc5w97nan/zBP6hC hrMk00MSgBbvuHFE9mAZNAFLguZY+G8yxpVkDAHmWNnC
X-Google-Smtp-Source: APXvYqz7bU+KrQKoBcC4pdnmtHT+DdwkvEOFjhc8oLNX8VadUrvBD9o9zCqNz1scypDZ5EyqKM8aUgS+Nz5KQSjyJB0=
X-Received: by 2002:a2e:9256:: with SMTP id v22mr2590260ljg.45.1581694406452; Fri, 14 Feb 2020 07:33:26 -0800 (PST)
MIME-Version: 1.0
References: <alpine.DEB.2.20.2002131443470.25433@grey.csi.cam.ac.uk> <20200213171324.GP18021@localhost> <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com> <20200213175626.GR18021@localhost> <65357327-e2d7-89cc-221e-ed8ac2875048@netmagic.com> <A91F5BD6-BFBA-4BA7-9158-3F41A8F0F7D9@gmail.com> <20200213191952.GS18021@localhost> <9FEBBD2A-3578-436A-92E3-192CADC9FA8B@gmail.com> <20200213205158.GT18021@localhost> <43D1454A-C1DD-4742-A14C-F608F296208C@gmail.com> <20200213213953.GU18021@localhost> <2945E4D6-BFFF-4477-9AB3-24534CC687A0@gmail.com> <2de1f6eb-d0af-73f7-3662-ed4b93368421@netmagic.com>
In-Reply-To: <2de1f6eb-d0af-73f7-3662-ed4b93368421@netmagic.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 14 Feb 2020 07:33:14 -0800
Message-ID: <CACsn0cnrZhTpgC9aQgciJjfhGC4VuhV4irYbO3om6c-vsrYnFw@mail.gmail.com>
To: trutkowski@netmagic.com
Cc: Henry Story <henry.story@gmail.com>, Nico Williams <nico@cryptonector.com>, Michael Richardson <mcr+ietf@sandelman.ca>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003d6b2b059e8aedb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/jgmZzRxqyaTYaDipSbNUruAWu2c>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 15:33:31 -0000

On Thu, Feb 13, 2020, 2:30 PM Tony Rutkowski <trutkowski.netmagic@gmail.com>
wrote:

> It is interesting that no one is addressing Bob Kahn's evolving models.
> Bob, after all, approved, paid for, and nurtured DARPA's DNS and BIND
> namespace/platforms. (The BIND part proved serendipitous but ultimately
> critical because some Berkeley grad students needed a funded project.)
>
> In the 1990s, he created the DOI namespace and infrastructure to
> identity and resolve all network based objects with IPR significance.
> He achieved a measure of success by obtaining both government support
> and transferring authority to a nominally global non-profit foundation
> (the International DOI Foundation) while maintaining some continuing
> control of the BIND equivalent. It has been quite successful, and even
> RFCs now have DOIs.
>
> Shortly afterwards, he rolled out Handles as a superstructure for all
> network identifiers.  Success for that namespace and platform proved
> more difficult.  Ultimately he used a combination of intergovernmental
> nexus (ITU-T X.1255) plus treaty conference resolutions - combined with
> a slightly more independent global non-profit foundation based in Geneva
> (the DONA Foundation).  The success has proven more elusive, even as
> some nations have considered it as an alternative/backup for DNS, and in
> theory solves the meta-identifier problem that will get more vexing as
> object namespaces proliferate.
>
> Views?
>

I'd prefer to focus on real world experience and the lessons learned, and
solving tractable problems that are serious.

In this world plenty of economic transactions take place with DNS names as
the only identifier. Plenty of people are known by monikers that have
nothing to do with any government: Muhammed Ali, Prince, Kirk Douglass,
Liberace, etc. The state doesn't determine these: remember "Say my name!"?

For all the supposed essentially of tying DNS names and cert issuance to
the real world, the WebPKI has focused on domain control and been widely
accepted. OV and DV certs have completely failed to deliver, with the
browser UI becoming depreciated due to serious issues with assuming
globally unique names and consequent security. OCSP didn't work because CAs
can't meet the uptime requirements. Shortlived certs can't work because
they would clog CT logs, and X509 is too hairy for what it is used for now.

Where is the running code for all these wonderful ideas? Where is the
demonstration that they will actually add value?

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email