[therightkey] Non-digital maps, and 'technical trust'...
Robin Wilton <wilton@isoc.org> Tue, 28 July 2015 10:59 UTC
Return-Path: <wilton@isoc.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00A101A8909 for <therightkey@ietfa.amsl.com>; Tue, 28 Jul 2015 03:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91zNdEItGoUy for <therightkey@ietfa.amsl.com>; Tue, 28 Jul 2015 03:59:37 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0057.outbound.protection.outlook.com [65.55.169.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13ACC1A88FE for <therightkey@ietf.org>; Tue, 28 Jul 2015 03:59:37 -0700 (PDT)
Received: from BLUPR06MB1828.namprd06.prod.outlook.com (10.162.225.18) by BLUPR06MB1826.namprd06.prod.outlook.com (10.162.225.16) with Microsoft SMTP Server (TLS) id 15.1.225.19; Tue, 28 Jul 2015 10:59:34 +0000
Received: from BLUPR06MB1828.namprd06.prod.outlook.com ([10.162.225.18]) by BLUPR06MB1828.namprd06.prod.outlook.com ([10.162.225.18]) with mapi id 15.01.0225.018; Tue, 28 Jul 2015 10:59:34 +0000
From: Robin Wilton <wilton@isoc.org>
To: "therightkey@ietf.org" <therightkey@ietf.org>
Thread-Topic: Non-digital maps, and 'technical trust'...
Thread-Index: AQHQySR8CNiU1nJ4UkOR105SceepXw==
Date: Tue, 28 Jul 2015 10:59:33 +0000
Message-ID: <888F6B8C-EB13-41B1-8D27-84A66108AB00@isoc.org>
References: <mailman.86.1438023613.16030.therightkey@ietf.org>
In-Reply-To: <mailman.86.1438023613.16030.therightkey@ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [94.174.34.240]
x-microsoft-exchange-diagnostics: 1; BLUPR06MB1826; 5:9Kvll6AlZL5PHC7BzqkM8hgc5rkh2Gm3nwZ++nLxOgh5wddGTaf+itH5zVL2UG6WUBf0tThhVGUWBGbTlhEc0QuQVKvo05AjjHlzS15q3jcyZIIzD0/pvTGGnIP9bFudI6QjB16lV8E/JJ/Jnwvn3Q==; 24:D1BeerLi5wUnDb4zPCiN137odIG1OYO+8cmB/RgyW1FRPWRI0DYpAAb48onLCKoBSS3psg1oo0XJTR/JTKobTfxpgNEpg6onjH0zYPQ4ZH8=; 20:tueS9uW31HXncJM3O7WeXVFu6d+t9y9Mm8ELNFPuVBXZsErvp+P2fc2sdTUKwn88wPrw8MQyUP4X0ZOBSwW7fw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR06MB1826;
blupr06mb1826: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BLUPR06MB182697A15230D97E25842AB5BF8D0@BLUPR06MB1826.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BLUPR06MB1826; BCL:0; PCL:0; RULEID:; SRVR:BLUPR06MB1826;
x-forefront-prvs: 06515DA04B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(229853001)(83716003)(106116001)(122556002)(92566002)(5002640100001)(36756003)(189998001)(5001960100002)(107886002)(46102003)(54356999)(82746002)(66066001)(19580405001)(2501003)(40100003)(2656002)(62966003)(19617315012)(33656002)(110136002)(16236675004)(77156002)(87936001)(77096005)(99936001)(76176999)(2900100001)(15975445007)(86362001)(102836002)(2351001)(2950100001)(19580395003)(99286002)(50986999)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR06MB1826; H:BLUPR06MB1828.namprd06.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/signed; boundary="Apple-Mail=_F4816AB9-DECA-4989-A10C-DDC5DB0D63C0"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2015 10:59:33.6952 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR06MB1826
Archived-At: <http://mailarchive.ietf.org/arch/msg/therightkey/E9aabxUBsm6SiEPLLAYVzouVnmw>
Subject: [therightkey] Non-digital maps, and 'technical trust'...
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 10:59:41 -0000
How did we ever manage? I suspect that using printed maps is one of those skills (like changing gear manually, or shaving with a cut-throat razor) that men cling to out of some atavistic belief that, if it really came down to it, we’d still be able to club a mammoth to death, skin and gut it, and roast it over an open fire. ;^) But to your point about combining different types/styles of PKI: 1 - this is another example of an interesting architectural shift from predominantly hierarchical models to mesh-based ones; it’s starting to be visible in identity interfederation, too. (Not sure what conclusions to draw from that observation yet, but I offer it as a data point). 2 - Combined PKIs obviously raise questions of technical interoperability (not least because, as last week’s IETF sessions illustrated, you’ll have stakeholders like the automotive industry insisting on their own variants of basic elements like certificate format, PKIX, etc. etc.). 3 - More to the point, composite PKIs raise questions of non-technical interoperability between different trust models. Your faith in a WoT-supported assertion of identity, for instance, will be based on different trust factors from your faith in an eIDAS-compliant certificate-based one. This interoperability problem between different trust models already exists in the CA PKI world (where, for instance, the service user and the service provider have certificates with different trust anchors), and hasn’t been elegantly fixed there. If you want to fix the problem centrally, you can fix it contractually, but that’s slow, expensive and inflexible. Fixing it technically would require something like Levels of Assurance, but for trust models, rather than identity assertions… that would be hard. (NB - I think we’re going to have to do something like that anyway, in due course, in order to make sense of the presence of PKI/crypto at multiple layers of the network infrastructure. For instance, what happens to the “trust score” of an inbound connection if it has come supported by a combination of DNSSEC and RPKI? But that’s some way off). If you want to fix it at the client side instead, I think your client is going to end up being a lot thicker than you might currently be hoping. R On 27 Jul 2015, at 21:00, therightkey-request@ietf.org wrote: > > 1. Using composite PKIs (Phillip Hallam-Baker) > > From: Phillip Hallam-Baker <phill@hallambaker.com> > Subject: [therightkey] Using composite PKIs > Date: 27 July 2015 17:02:56 CEST > To: "therightkey@ietf.org" <therightkey@ietf.org>, IETF OpenPGP <openpgp@ietf.org>, "dane@ietf.org" <dane@ietf.org>, <smime@ietf.org> > > > [Followups on therightkey please] > > Thinking about the discussion of the OpenPGP/DANE draft in OpenPGP in my car, I came up with a metaphor for how to approach joining different PKIs. In particular, Werner's comment that Web of Trust doesn't scale. The CA model does scale but it isn't actually much better when trying to identify private individuals rather than employees of a company since the only thing I can validate economically is an email address and that isn't a person. > > We can approach the problem mathematically by considering the work factor (in US$) for causing a breach. > > Combining Web of Trust with CA approaches and interning the assertions in an immutable blockchain like log does provide an approach that scales. The blockchain makes the workfactor time dependent. If the workfactor is $100 before an assertion is enrolled, it will be $trillions after. > > Combining Web of Trust and CA trust is like building a dalek out of fiberglass: Individually, the glass fiber and the epoxy are weak. But using the two in combination locks the strands of glass fibre creating a lightweight shell that can support the weight of a small truck. This part is already written up: > > https://datatracker.ietf.org/doc/draft-hallambaker-prismproof-trust/ > > > The question we are facing now is how we make sense of that type of data. Which is where the car trip comes in. > > I am using GPS to navigate a part of the city I don't know very well. There are multiple resources at my disposal: > > 1) My own knowledge of the area > 2) Signposts on the road > 3) The GPS maps in the car > 4) Offline maps via my cell phone > > Any one of these guides can be fallible. The GPS maps are pre big-dig (no CANBUS modem car for me) so they are out of date. Offline maps are more likely to be up to date but a malicious provider can direct specific individuals to the wrong place. > > The fact that there is a human in the loop actually keeps the mapping service providers accountable. Even if 99% of drivers don't know where they are going. The fact that there are roadsigns and the fact that a few do know where they are going means that if the service defects, they are likely to be caught. > > Using a pure online mapping service like Google Maps and a thin client means that I am always up to date but exposes all my movements to them. It also breaks if I am in Prague on a crappy AT&T data plan costing $20/Mb for international roaming. [Do the AT&T execs consider the semiotics of sending their customers a text message saying 'we are going to try to steal from you now' every time they cross an international border. > > Using a pure offline map like the DVDRom based system in the Honda means that nobody can track me by my use of a mapping service. It also means that the maps are ten years out of date as I don't plan on replacing the van till the child whose car seat it was built to fit has learned to drive and won't trash the transmission. > > The best map I have is actually an application on the phone that has downloadable maps for the whole of Europe and North America. The mapping service obviously preprocesses the maps so that the phone has as little work to do as possible. So it is a 'thick client' but not as thick as it might be. > > > I think the key to making a composite PKI work is to approach the problem in a similar fashion. In the short term we want to be using the 'thin client' as this allows us to change how we analyze data and add new formats. When trying to develop a new protocol, agility is key. But the medium term goal is to have a thick-ish client. > > > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey
- [therightkey] Non-digital maps, and 'technical tr… Robin Wilton