Re: [therightkey] Will the real RPF please stand up?
Stephen Kent <kent@bbn.com> Wed, 08 February 2012 16:41 UTC
Return-Path: <kent@bbn.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3A4021F8731 for <therightkey@ietfa.amsl.com>; Wed, 8 Feb 2012 08:41:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.291
X-Spam-Level:
X-Spam-Status: No, score=-106.291 tagged_above=-999 required=5 tests=[AWL=0.308, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rz5-W70BHU8g for <therightkey@ietfa.amsl.com>; Wed, 8 Feb 2012 08:41:07 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id EB3C821F872D for <therightkey@ietf.org>; Wed, 8 Feb 2012 08:41:05 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:33044 helo=[192.67.20.202]) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1RvAZq-000CZc-0W; Wed, 08 Feb 2012 11:41:02 -0500
Mime-Version: 1.0
Message-Id: <p06240802cb5853bd675e@[10.120.131.43]>
In-Reply-To: <10ED67C0-F0ED-4D2C-B897-0BE97689EDF5@tid.es>
References: <12020712051780_4AE3A@oregon.uoregon.edu> <p06240811cb57510cf463@[10.120.131.43]> <10ED67C0-F0ED-4D2C-B897-0BE97689EDF5@tid.es>
Date: Wed, 08 Feb 2012 11:36:12 -0500
To: DIEGO LOPEZ GARCIA <diego@tid.es>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Cc: Joe St Sauver <joe@oregon.uoregon.edu>, "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Will the real RPF please stand up?
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2012 16:41:08 -0000
At 8:52 AM +0100 2/8/12, DIEGO LOPEZ GARCIA wrote: >On 7 Feb 2012, at 23:25 , Stephen Kent wrote: >> federated authentication systems using certs generally seem to be >> motivated because folks can make cross-certification work properly. >> other federated auth systems seem to be based on having one org trust >> another to assert and identity for a user know to the second, but not >> the first. that's a recipe for secruity problems. > >Well, at the end, having an org trust another to >identify a user only known to the latter is what >certificates do, don't they? The problem with >federated schemas is the number of potential >sources of identity, that has to become >unbounded by definition. You have then to rely >on federation metadata, telling you which orgs >are trusted to make assertions on whom, and you >need some root(s) of trust for those metadata, >metadata revocation procedures, etc. And this >collapses again into finding the-right-key(s) I was a bit sloppy in my choice of words. Let me try again. In the physical world we recognize that certain entities are authoritative for identifying people or orgs. These entities issue credentials to people and orgs, and these credentials are accepted for identification and/or authorization purposes, in selected contexts. If a CA issues certs with IDs for which the CA is authoritative, it mimics the real world model, and that's generally good. In many of the federation examples with which I am familiar, there is too much reliance on parties to vouch for identities in a nonauthoritative fashion. This is not a problem for all such systems, but for many. Steve
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Kyle Hamilton
- [therightkey] Will the real RPF please stand up? Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Richard L. Barnes
- Re: [therightkey] Will the real RPF please stand … Daniel Kahn Gillmor
- Re: [therightkey] Will the real RPF please stand … Andrew Sullivan
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … David Conrad
- Re: [therightkey] Will the real RPF please stand … Martin Rex
- Re: [therightkey] Will the real RPF please stand … Richard L. Barnes
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Andrew Sullivan
- Re: [therightkey] Will the real RPF please stand … Chris Palmer
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Chris Palmer
- Re: [therightkey] Will the real RPF please stand … Martin Rex
- Re: [therightkey] Will the real RPF please stand … Richard L. Barnes
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Chris Palmer
- Re: [therightkey] Will the real RPF please stand … Ralph Holz
- Re: [therightkey] Will the real RPF please stand … Richard L. Barnes
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Ralph Holz
- Re: [therightkey] Will the real RPF please stand … David Conrad
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Martin Rex
- Re: [therightkey] Will the real RPF please stand … Martin Millnert
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Ralph Holz
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Jon Callas
- Re: [therightkey] Will the real RPF please stand … Paul Lambert
- Re: [therightkey] Will the real RPF please stand … Martin Millnert
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Jon Callas
- Re: [therightkey] Will the real RPF please stand … Kyle Hamilton
- Re: [therightkey] Will the real RPF please stand … Thomas Hardjono
- Re: [therightkey] Will the real RPF please stand … Jon Callas
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Paul Lambert
- Re: [therightkey] Will the real RPF please stand … Jon Callas
- Re: [therightkey] Will the real RPF please stand … Daniel Kahn Gillmor
- [therightkey] trustworthiness [was: Re: Will the … Daniel Kahn Gillmor
- Re: [therightkey] trustworthiness [was: Re: Will … Phillip Hallam-Baker
- Re: [therightkey] trustworthiness [was: Re: Will … Jon Callas
- Re: [therightkey] trustworthiness [was: Re: Will … Daniel Kahn Gillmor
- Re: [therightkey] trustworthiness [was: Re: Will … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Matt DeMoss
- Re: [therightkey] Will the real RPF please stand … Kyle Hamilton
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Joe St Sauver
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Ryan Hurst
- Re: [therightkey] Will the real RPF please stand … Martin Rex
- Re: [therightkey] Will the real RPF please stand … DIEGO LOPEZ GARCIA
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … DIEGO LOPEZ GARCIA
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Bill Frantz
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Zack Weinberg
- [therightkey] focus (Was: Re: Will the real RPF p… Stephen Farrell
- [therightkey] Secure e-mail, and why it's not an … Kyle Hamilton
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] focus (Was: Re: Will the real R… Phillip Hallam-Baker
- Re: [therightkey] Secure e-mail, and why it's not… Stephen Farrell
- Re: [therightkey] focus (Was: Re: Will the real R… Stephen Farrell
- Re: [therightkey] Secure e-mail, and why it's not… Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … DIEGO LOPEZ GARCIA
- Re: [therightkey] focus (Was: Re: Will the real R… Phillip Hallam-Baker
- Re: [therightkey] Secure e-mail, and why it's not… Nico Williams
- Re: [therightkey] Will the real RPF please stand … Daniel Kahn Gillmor
- Re: [therightkey] Secure e-mail, and why it's not… Phillip Hallam-Baker
- Re: [therightkey] Secure e-mail, and why it's not… Nico Williams
- Re: [therightkey] Secure e-mail, and why it's not… Phillip Hallam-Baker
- Re: [therightkey] Secure e-mail, and why it's not… Nico Williams
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … DIEGO LOPEZ GARCIA
- Re: [therightkey] Secure e-mail, and why it's not… Kyle Hamilton
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Joe St Sauver
- Re: [therightkey] Will the real RPF please stand … Kyle Hamilton
- Re: [therightkey] Will the real RPF please stand … DIEGO LOPEZ GARCIA
- Re: [therightkey] Secure e-mail, and why it's not… Olaf Kolkman
- Re: [therightkey] Secure e-mail, and why it's not… Phillip Hallam-Baker
- Re: [therightkey] Secure e-mail, and why it's not… Kyle Hamilton
- Re: [therightkey] Secure e-mail, Martin Rex
- Re: [therightkey] Secure e-mail, Phillip Hallam-Baker
- Re: [therightkey] Secure e-mail, Nico Williams
- Re: [therightkey] Secure e-mail, Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Stephen Kent
- Re: [therightkey] Will the real RPF please stand … Phillip Hallam-Baker
- Re: [therightkey] Will the real RPF please stand … Kyle Hamilton
- Re: [therightkey] Secure e-mail, and why it's not… Kyle Hamilton
- Re: [therightkey] Secure e-mail, and why it's not… Nico Williams