IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 14 February 2020 13:59 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82042120074 for <saag@ietfa.amsl.com>; Fri, 14 Feb 2020 05:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.501
X-Spam-Level: **
X-Spam-Status: No, score=2.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A97fMgR-5PVP for <saag@ietfa.amsl.com>; Fri, 14 Feb 2020 05:59:45 -0800 (PST)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5BB120041 for <saag@ietf.org>; Fri, 14 Feb 2020 05:59:44 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [46.183.103.8]) by relay.sandelman.ca (Postfix) with ESMTPS id 48AF41F459; Fri, 14 Feb 2020 13:59:43 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 32BA71A2B90; Fri, 14 Feb 2020 14:59:41 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Nico Williams <nico@cryptonector.com>
cc: saag@ietf.org
In-reply-to: <20200213174617.GQ18021@localhost>
References: <ac360994-e747-6913-fdc3-19b7db2e00c3@netmagic.com> <3854.1581431519@dooku> <20200213174617.GQ18021@localhost>
Comments: In-reply-to Nico Williams <nico@cryptonector.com> message dated "Thu, 13 Feb 2020 11:46:18 -0600."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 14 Feb 2020 14:59:41 +0100
Message-ID: <18044.1581688781@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kCXlro8HclKuZ3te80rpHtf_LIQ>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 13:59:48 -0000

Nico Williams <nico@cryptonector.com> wrote:
    > It seems like a miracle that we have DNS at all.

    > And when you talk about x.509 naming, it really does seem to mean that
    > you're referring to dNSName SANs, so, DNS.

    > It seems unlikely to me that we could replace a global system we have
    > (DNS) with a non-global system.  That's a lot of value to leave behind!

SPKI permitted things like:
     DNS's www.cryptonector.com
or:  Nico's second-floor bathroom

and in particular it would permit:
or:  Russia's nameservice cryptnector.com        (national DNS root)
or:  employer.example.com's www.amazon.com       (forced corporate proxy)

    >> Typical PKI implementations just makes it really hard for end users to
    >> actually manage their trust anchors, because it pretends that the
    >> local trust anchors were a pronouncement from god.

    > Yes.  But that's not a fault of PKIX, or DNS, or anything other than
    > the

I agree, it's not inheirently the result of PKIX, but then we got meaningless
junk like CPS which makes it really hard for people (even lawyers) to have
their own.

    > So I take the opposite view: a single global namespace IS fine.  It may
    > well be the single biggest key to the Internet's success.  WebPKI is
    > busted.  ISTM incorrect to conclude that because WebPKI is busted, and
    > that because the "I" in it wanted it to be a single global namespace,
    > that then it must be that a global namespace is bad.

In the SPKI days I wanted no DNSSEC root.
I wanted 158 national roots with k-of-n cross-signatures.
Countries would recognize (in the political/legal, UN sense) each other by
signing each other's ccTLD trust anchors.

Everyone in Canada would be obligated by law to use the "CA" trust anchors,
and to get to "amazon.DE", I'd have to go "CA-cross->DE->amazon".

Which definitely lets my government spoof me, which they already say they
have the right to do under certain circumstances, but it doesn't let them
spoof you.   Would we have to kill ".com", etc. and all the ICANN zoo?  
Maybe. It's not a big loss to me, but others would object.  And we don't need
to do it overnight.

It also means that my government is assuming liability if I get spoofed,
which also seems reasonable. 

    >> learn this practice as infants.  In the family environment names work
    >> as identifiers, even today.  What we learn as infants is especially
    >> difficult to re-learn later in life.  Therefore, it is natural for
    >> people to translate the need to know who the keyholder is into a need
    >> to know the keyholder's name.

    > Locality in naming usage does not imply that a global namespace is bad.

So, we see this in things like maps where national authorities inform
google/bing/etc. what the official name of a conquored place is, in
contradiction to what name the locals, (and possibly, the world) use.
I don't know which name is global and which name is local, but I can do all
of that with relative (SPKI) names.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email