Re: [saag] post-X509 cryptographic identities

[Nico Williams <nico@cryptonector.com>]

On Fri, Feb 14, 2020 at 02:59:41PM +0100, Michael Richardson wrote:
> Nico Williams <nico@cryptonector.com> wrote:
>     > It seems like a miracle that we have DNS at all.
> 
>     > And when you talk about x.509 naming, it really does seem to mean that
>     > you're referring to dNSName SANs, so, DNS.
> 
>     > It seems unlikely to me that we could replace a global system we have
>     > (DNS) with a non-global system.  That's a lot of value to leave behind!
> 
> SPKI permitted things like:
>      DNS's www.cryptonector.com
> or:  Nico's second-floor bathroom

And for the first it's no different than PKIX.  And it'd better have
name constraints or it's worth diddly squat.

(It's hard to come up with a generic syntax for the second name form
that is amenable to name constraints, of course.  Name constraints in
that case have to be relying-party-side configuration.  That's OK for
simple name forms that are not meant to scale to Internet scale.)

> and in particular it would permit:
> or:  Russia's nameservice cryptnector.com        (national DNS root)
> or:  employer.example.com's www.amazon.com       (forced corporate proxy)

Sure, but PKIX let's you have this too: it's just an alternate issuer
(root).

What would SPKI have given us, really?

>     >> Typical PKI implementations just makes it really hard for end users to
>     >> actually manage their trust anchors, because it pretends that the
>     >> local trust anchors were a pronouncement from god.
> 
>     > Yes.  But that's not a fault of PKIX, or DNS, or anything other than
>     > the
> 
> I agree, it's not inheirently the result of PKIX, but then we got meaningless
> junk like CPS which makes it really hard for people (even lawyers) to have
> their own.

CPS is useless lipstick on a pig (WebPKI), so don't use it.

>     > So I take the opposite view: a single global namespace IS fine.  It may
>     > well be the single biggest key to the Internet's success.  WebPKI is
>     > busted.  ISTM incorrect to conclude that because WebPKI is busted, and
>     > that because the "I" in it wanted it to be a single global namespace,
>     > that then it must be that a global namespace is bad.
> 
> In the SPKI days I wanted no DNSSEC root.
> I wanted 158 national roots with k-of-n cross-signatures.

Cross-signing roots ~= a root anyways.

Every country could run its own roots with mostly or entirely the same
contents as all the others.  From a relying party's point of view,
there's a single root, and _that_ is what matters.

(A relying party might need to change root trust anchors when traveling
if they are forced to or want to change roots.)

I.e., DNS and DNSSEC are no as strongly single-rooted as they are made
out to be, we can continue to have interop with multiple mostly-the-same
national roots, and still avoid the mess of WebPKI because for every RP
there will always only be one root.  This can only introp well provided
that the alternate roots keep the same public keys for all the TLDs,
naturally, but it's feasible and workable and radically different from
WebPKI.

> Countries would recognize (in the political/legal, UN sense) each other by
> signing each other's ccTLD trust anchors.
> 
> Everyone in Canada would be obligated by law to use the "CA" trust anchors,
> and to get to "amazon.DE", I'd have to go "CA-cross->DE->amazon".

Sure.  We could still have this, but people sure like their .com
domains.  Without legal requirements to use ccTLDs, they won't be.

> Which definitely lets my government spoof me, which they already say they
> have the right to do under certain circumstances, but it doesn't let them
> spoof you.   Would we have to kill ".com", etc. and all the ICANN zoo?  
> Maybe. It's not a big loss to me, but others would object.  And we don't need
> to do it overnight.

Yes.  But if governments won't force you to do this, I don't mind.  That
is, we can have a single-root PKI (or a cross-signed root if you
prefer) in all cases.  And we can have mandatory or optional use of
ccTLDs.  It's all good.

> It also means that my government is assuming liability if I get spoofed,
> which also seems reasonable. 

Sovereigns always immunize themselves.  You will not be able to sue your
government over attacks on you resulting from your country's ccTLD
private keys being compromised.  At best some may be able to avoid some
losses when their counter-party is also operating in the same country,
but only entities other than their government will be taking the losses.

>     >> learn this practice as infants.  In the family environment names work
>     >> as identifiers, even today.  What we learn as infants is especially
>     >> difficult to re-learn later in life.  Therefore, it is natural for
>     >> people to translate the need to know who the keyholder is into a need
>     >> to know the keyholder's name.
> 
>     > Locality in naming usage does not imply that a global namespace is bad.
> 
> So, we see this in things like maps where national authorities inform
> google/bing/etc. what the official name of a conquored place is, in
> contradiction to what name the locals, (and possibly, the world) use.
> I don't know which name is global and which name is local, but I can do all
> of that with relative (SPKI) names.

Names relative to global names are still global names.

Names relative to name-less issuers are truly local names: local to RPs
that trust those issuers.  But RPs cannot trust very many such issuers,
so PKI for local names is not very interesting.

Nico
--