IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Henry Story <henry.story@gmail.com> Thu, 13 February 2020 18:48 UTC

Return-Path: <henry.story@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59AB61207FD for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 10:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFbrlMx0yPcS for <saag@ietfa.amsl.com>; Thu, 13 Feb 2020 10:48:23 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20D112021C for <saag@ietf.org>; Thu, 13 Feb 2020 10:48:22 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id p17so7934786wma.1 for <saag@ietf.org>; Thu, 13 Feb 2020 10:48:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=N9g5EtLPFyAVUngHEdicwoii4oDrsrJDU9oWQl/JT4A=; b=X+UQ3f4TOW8Z6CTQgOPO2SddBtYYkCLs/6YyK/R9qxUkWD8WS7cZ/rtrupFcW103++ TJIVfSkCKYWGr+KM7rpGYjcixhHjaarN9BaMYucDkUIdYt9jiLOKIj5RA3rdXtPeyKuX CUDTOqz0n9ni/XlCxWxVdXBK7gTTBsM9WTEB7q6mMiziGAnjVNdehWsK9X1tx4ydkUMW iZAipoR5ClnjdyrUULY7B0LzKDyg8lqC2a/IziDA8yWS3vFCWOwaayYLuwdwmD529aMp /aP5+1SvZczTgaAI3buGuyC5a6QoLRVagL68HO2uniER2n5Hn8LX5Iwzhkkc5ciwneV2 eCcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=N9g5EtLPFyAVUngHEdicwoii4oDrsrJDU9oWQl/JT4A=; b=XKLD0/AshdKsi8GsiuVZBJ4yH/7kn7LF4uWItCWLRdkeYQCvenNq298jTJdSnBd1LU eamhs0Ahprt9gQG4x8JXNX4aYrYOifIOYdpxIYwpIYLnELeZgzWTCMONa1DXA1Eq1g0z hMckCk6vZfmFUXW/ogxv8pzIrqfVNh7snwbcoOK97wuUrFOHZoYcze08GTnY/xpMI2Sm QSIMN8iPqlCbhmqmHKG5sfZuzwRwg0ara2iuzz899Bje6eJXttsE5EuNlk71zYRY9o3H IJ87bF4dypwyMnIqVp2COWaDjQJwwD2KLwQon0Axx/738P3tHOkc2BNM9pD1Ycz7tXVa NQOQ==
X-Gm-Message-State: APjAAAWvQSLTWMy34dDtV4h2B81IhImJFVx9W0aEr54eBKQylmcbteiU cpxx1pVec/kz9ITug+E7QfkJhJRz5oE=
X-Google-Smtp-Source: APXvYqyUNCrOZdPCeI/8/+tdtMbVxCxMaVkCSiniqGW5XyV3tx7+bT3w8fTag+3XWkanrRztzF76aQ==
X-Received: by 2002:a1c:5f41:: with SMTP id t62mr7317329wmb.42.1581619700971; Thu, 13 Feb 2020 10:48:20 -0800 (PST)
Received: from [192.168.43.200] ([92.184.96.41]) by smtp.gmail.com with ESMTPSA id i2sm4104251wmb.28.2020.02.13.10.48.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Feb 2020 10:48:20 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Henry Story <henry.story@gmail.com>
In-Reply-To: <65357327-e2d7-89cc-221e-ed8ac2875048@netmagic.com>
Date: Thu, 13 Feb 2020 19:48:18 +0100
Cc: Nico Williams <nico@cryptonector.com>, Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A91F5BD6-BFBA-4BA7-9158-3F41A8F0F7D9@gmail.com>
References: <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <20200212002125.GO18021@localhost> <alpine.DEB.2.20.2002131443470.25433@grey.csi.cam.ac.uk> <20200213171324.GP18021@localhost> <d3d01f1f-5784-da84-1c59-e636d349bd2a@netmagic.com> <20200213175626.GR18021@localhost> <65357327-e2d7-89cc-221e-ed8ac2875048@netmagic.com>
To: trutkowski@netmagic.com
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/m5zqRgRWbW1DTWkd14fBJuH8c5k>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 18:48:32 -0000

> On 13 Feb 2020, at 19:18, Tony Rutkowski <trutkowski.netmagic@gmail.com> wrote:
> 
> Antitrust and tort liability are significant components here as well, and the support by sovereigns provides immunity.  Why antitrust enforcement or litigation hasn't occurred already, seems almost improbable.
> 
> The billions of OID tagged objects with certificates originally envisioned by Jim White and others at PARC, was predicated on immunity provided by sovereigns.  Indeed, the US portion of the namespace was covered by a DOC proceeding in 1992.  Two years later, the newly free-floating IANA would adopt a no trust approach to generate money for the growing DARPA DNS domain name business.  See http://www.circleid.com/posts/20180113_the_meeting_that_changed_the_darpa_datagram_internet/

I think one has to take it as a ”fait accompli” that domain name dilution
has happened. In any case asking people to remember the meaning of 2 character codes for country names globally would have required a huge
investment in teacher training, child training etc… to accomplish. 
Most Europeans have trouble remembering where US states are located
even though it is taught in final years around the age of 17-18. Most
US citizens have trouble remembering all the states of Europe, even
though many had ancestors the immigrated from here.

That is not the way to do things. Instead lets accept that choosing domain names is taken over by marketing folks, that poor countries are selling
their domains to make much needed money, etc… Furthermore the only way to
get rid of domain name squatters is to make their business irrelevant by
just adding new domain names.

Instead one should lead the Sovereigns to enter into the web by providing
data in machine readable format, about the companies and web sites that
wish to tie themselves to those legal institutions, the benefits of 
which are not to be underestimated: you only need to live some time in lawless zones, from squats onwards to understand how helpful the law is.
This can be done in a purely opt in basis, though it would require 
some conventions to be agreed upon, and the basic naming infrastructure 
to work securely.

I describe towards the end of chapter 3 of my second year report 
in different language a detailed version of how this can work.

https://co-operating.systems/2019/04/01/PhD_second_year_report.pdf

In a way it is one of the core principles of URIs: one should not 
try to encode semantics in them. 

Btw. one of the reasons why the system worked for so long, is that initially
the web of trust on which domain names and URIs built was built up
in a peer to peer manner by people linking pages. Those pages that got
the most links rose to the top in search engines that started using that
information (At AltaVista we did not know how to do it).

Now that undermining the system of links through bots has a lot of 
value, that architecture no longer works. One actually now needs the
systems that have evolved to deal with law and law breakers, which
are called states, and which exist in diplomatic/anarchic relations
with one another.

This is an interesting conversation, that is giving me a lot of
good ideas on how to structure my final thesis.

Henry


> 
> --tony
> 
> On 2020-02-13 12:56 PM, Nico Williams wrote:
>> On Thu, Feb 13, 2020 at 12:34:12PM -0500, Tony Rutkowski wrote:
>>> We have had hierarchical trusted name systems for a while.  PSTN numbers
>>> still serve that function - which drove ENUM.
>>> 
>>> The old idealized legacy DNS model arguably disappeared with vigorous
>>> competition among alternative root servers, e.g, 1.1.1.1, 8.8.8.8, etc.
>> The registries and registrars haven't changed.  The quad-Ns have not yet
>> balkanized the namespace.  They could, and they might, but it'd be
>> awfully controversial, and it's not likely to happen.
>> 
>> Moreover, DNSSEC still prevents namespace balkanization, and the quad-Ns
>> aren't yet replacing the root keys with their own.  Nation states _can_
>> pull this off because they can force people within their jurisdictions
>> to use balkanized DNS.  And quad-N providers might even provide that
>> service to nation states, but we're not there yet, and that's not
>> evidence that a global namespace is bad.
>> 
>>> Then there is also the shift to E2E MEF Ethernet...or with DONA's Handle
>>> System.
>>> 
>>> All of this arguably underscores the continuing need for a trusted PKI
>>> cert.  As you note, sovereign registries have value.
>> The registries need not be sovereign, but the dispute resolution
>> mechanisms they tie into must be.
>> 
>> Users need ways to establish trust.  Person-to-person (or device-to-
>> device) trust establishment is amenable to TOFU, but customer-to-
>> provider trust is not really.  The latter requires a namespace that
>> users can navigate to find -ultimately- where to bring civil suit if
>> need be.
>> 
>> Nico
> <19921014_USdomainProcedures.pdf>_______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email