IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 11 February 2020 14:26 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB7B1200C5 for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 06:26:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.5
X-Spam-Level: **
X-Spam-Status: No, score=2.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAy9srCBrmUT for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 06:26:46 -0800 (PST)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608CB120013 for <saag@ietf.org>; Tue, 11 Feb 2020 06:26:46 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [IPv6:2a02:8109:b6c0:52b8:584d:5a6f:7ed3:c298]) by relay.sandelman.ca (Postfix) with ESMTPS id E8C941F459; Tue, 11 Feb 2020 14:26:44 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 336F51A29C5; Tue, 11 Feb 2020 15:26:44 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Derek Atkins <derek@ihtfp.com>
cc: saag@ietf.org
In-reply-to: <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org>
References: <157762745765.1150.7880025422884493076@ietfa.amsl.com> <2C5DFA70-AD0E-4139-B28E-2D4EDB6E5409@sinodun.com> <46BDE9EB-6306-4194-AFFA-7E9E6604765F@sinodun.com> <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <8ccb201a00d4e693c882225170ca424f.squirrel@mail2.ihtfp.org>
Comments: In-reply-to "Derek Atkins" <derek@ihtfp.com> message dated "Tue, 11 Feb 2020 08:30:39 -0500."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 11 Feb 2020 15:26:44 +0100
Message-ID: <3643.1581431204@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/qMKwUEJnICn9YyTzHYaE03UY3bY>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 14:26:48 -0000

Derek Atkins <derek@ihtfp.com> wrote:
    > [snip]
    >> I think that the document would say a series of things:
    >> The designers of X500/X509 intended X, but it turned out that this
    >> did not happen, and instead PKIX did Y.
    >>
    >> (One could substitute X=DN, Y=SAN for instance)
    >>
    >> I think that it is important for any new identity system to recognize what
    >> forces pushed us away from the original vision.
    >> We made engineering tradeoffs based upon time, code, bandwidth,
    >> round-trips
    >> and threats.   Not every such decision is still justified.
    >>
    >> So this requirements document would essentially be some kind of loving
    >> criticism.

    > Should this document also include the history of other PKIs, such as SPKI
    > and/or OpenPGP's WoT?  I think it would be interesting to put an
    > historical contrast on the visions behind the various methods/standards
    > and perhaps try to document the reasons (if possible) that "market forces"
    > took us in one direction vs another.

Yes, I think that it has to.

Each evolved either as a response to X509.  Restating 2692/2693 or the design
requirements for OpenPGP is not called for; distilling what criticism were in
common and why SPKI did not fly is important.  And is there something
technical wrong with OpenPGP, or are we dealing with implementation issues?

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email