Re: [therightkey] Draft charter for a Transparency Working Group
Phillip Hallam-Baker <hallam@gmail.com> Thu, 12 December 2013 15:24 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7D01AE2F9 for <therightkey@ietfa.amsl.com>; Thu, 12 Dec 2013 07:24:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id riRiYMCKhms4 for <therightkey@ietfa.amsl.com>; Thu, 12 Dec 2013 07:24:10 -0800 (PST)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 30D8F1A1F61 for <therightkey@ietf.org>; Thu, 12 Dec 2013 07:24:09 -0800 (PST)
Received: by mail-wi0-f169.google.com with SMTP id hn6so917623wib.0 for <therightkey@ietf.org>; Thu, 12 Dec 2013 07:24:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=A1Qf3KhiG4+d/Efc3az35r+TOFFDbQeD7RENsuJN+jQ=; b=Vmgc0DZUJ5M82sVgg6ZLDBuuZyrVUsMJ5LjzM1FbxGvo6xqNb0f1sfs/0m0O7swB6z /bVzYz5+ZeJHhjwKLo7CjmsP1hEY5SrCPPWZggqboBHs5EhztkUoXzPSEW6iJIHsHiZ0 GYEVIcV+2rquwLYn1kfr0keo2v9eAcZvb1MSavytJuYJCezdexz6nM9OIAFl8+olfWjD VVqXorg96tUyqjamfRxLM3Gl/n1kQHbDgO12gQDk8fxP2qHyPYwAuHWGf6QWq8T4m1Dx yAeed0RfG3oRd6CJsyTxpHxGl9S/fQk7RcpajuaFfz0+s20ID4FvX4hVEM9wmc40zfkg Q/sA==
MIME-Version: 1.0
X-Received: by 10.194.94.167 with SMTP id dd7mr7123595wjb.43.1386861842696; Thu, 12 Dec 2013 07:24:02 -0800 (PST)
Received: by 10.194.243.136 with HTTP; Thu, 12 Dec 2013 07:24:02 -0800 (PST)
In-Reply-To: <CECF0556.29FC3%paul@marvell.com>
References: <CABrd9SSzGJy18tf_iR5jFNk-sJyX66OPhmM4H23K5X2ZpWniyQ@mail.gmail.com> <CECE51D6.29F5B%paul@marvell.com> <CABrd9SRwkxWYV9L1iWsyCqzMYKAcpoeSRh+kG6MMMzZC0y8siw@mail.gmail.com> <CECF0556.29FC3%paul@marvell.com>
Date: Thu, 12 Dec 2013 10:24:02 -0500
Message-ID: <CAMm+LwhUEpVSM-Lvtoh2KJoHSJonxhxWL-Qjc6fLgkWLQzB8Kw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "therightkey@ietf.org" <therightkey@ietf.org>
Content-Type: multipart/mixed; boundary="047d7bb03c467caf3804ed57ef22"
Subject: Re: [therightkey] Draft charter for a Transparency Working Group
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2013 15:24:14 -0000
On Thu, Dec 12, 2013 at 9:39 AM, Paul Lambert <paul@marvell.com> wrote: > > > >> > >> On 12/11/13, 8:55 AM, "Ben Laurie" <benl@google.com> wrote: > >> > >>>Who's in? > >> Very cool concept Š very broad possible applications. > >> Less interested in HTTPS/TLS, but many applications. > > > >Great - can you be more specific what interests you? > > 1) Basic logs and the ability to have assurance on time and order > 2) Distributed authorization systems with an ability to demonstrate the > existence > and ordering of authorization statements > 3) Time stamps and time synchronization > 4) Group membership / enrollment > 5) 'key centric' identity (mappings using hashes of keys as identity) > 6) Service description and discovery without central registration > I am very interested in 5, in fact my strong email addresses are really just a convenient notation for key centric identity. But there are two questions here: 1) What should we do? 2) What should we do in the transparency WG? A draft of the paper I wrote for the IAB/W3C workshop is attached. It describes the scheme I am currently writing code to support. The part of the scheme described in the paper is what I consider 'plumbing'. I don't think that I have foreclosed any options by taking the decisions I did. Most of the design is constrained by previous specifications and by legacy infrastructure. The decision to use JSON to encode the 'Prism Hardening Bit' is driven by fashion but I think that is a good one in this case and I can support it with a use case that JSON meets but not ASN.1. But what I don't describe in the paper is the much bigger part of the scheme that has to do with a next generation PKI model for individual users built on a synthesis of the PKIX, PGP and CT models. I could propose that as a WG item but I get the feeling that Stephen is going to respond that it is research or it should be an experimental or whatever. I really want to fix end-to-end email security. But right now the problem with end-to-end security is not a lack of trust in the key distribution model. The problem that is killing deployment is that the products are too difficult to use. So even though I am building my alternative key distribution infrastructure on the assumption that there is a CT like infrastructure in place, the motivation for building that infrastructure is to solve a different problem. Another area that I have considered and written code for but not yet described is how to use key centric crypto to secure a Web service. For example, let us say that we have some infrastructure that lets us resolve either a hash alone or a hash plus a domain name to a blob of data that is a policy signed under the corresponding key (a PHingerprint Blob, fb was already taken). I am currently using this mechanism to resolve strong email addresses: <fingerprint>?alice@example.com We can use just a Web server and the .well-known convention to resolve (<fingerprint>, example.com) to a policy file. But while I was writing the proxy I suddenly realized that even though my email client lets me check the box that says 'use SSL', the client does not actually check the certificate chain, nor does it let me install my own root of trust to check the chain against. Which is a pretty big hole. So what I would like to be able to do to configure my email client is to specify the mail service connection in a form such as: phb://example.com/_submit._tcp/<fingerprint> The corresponding policy would then contain the port and service DNS name data for connecting to the submit service at example.com. We can further use this as a discovery mechanism for the phingerprint as follows: Let us assume that all the user tells the client is their email address ( alice@example.com) and the client is to work out everything else for themselves. So the client knows that it wants to talk the SUBMIT protocol (_submit._tcp) and it knows the domain (example.com). It can now form a .well-known query for the phingerprint of the corresponding domain: https://example.com/.well-known/phb/ http://example.com/.well-known/phb/ As a short term measure the user would have to enter a one-time passphrase to provide initial authentication. But in the longer term this should be replaced by an out of band confirmation service. When I buy a new device I want to be able to configure it for use with all my applications through a one time process in which I tell the device which account(s) to use and then I get an out of band request for confirmation that this is what I want to do on an already configured and trusted device. -- Website: http://hallambaker.com/
- [therightkey] Draft charter for a Transparency Wo… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Rob Stradling
- Re: [therightkey] Draft charter for a Transparenc… Stephen Farrell
- Re: [therightkey] Draft charter for a Transparenc… Phillip Hallam-Baker
- Re: [therightkey] Draft charter for a Transparenc… Daniel Kahn Gillmor
- Re: [therightkey] Draft charter for a Transparenc… Livingood, Jason
- Re: [therightkey] Draft charter for a Transparenc… Paul Wouters
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Leif Johansson
- Re: [therightkey] Draft charter for a Transparenc… Leif Johansson
- Re: [therightkey] Draft charter for a Transparenc… Phillip Hallam-Baker
- Re: [therightkey] Draft charter for a Transparenc… Warren Kumari
- Re: [therightkey] Draft charter for a Transparenc… Lucy Lynch
- Re: [therightkey] Draft charter for a Transparenc… Lucy Lynch
- [therightkey] Fwd: [perpass] Draft charter for a … Phillip Hallam-Baker
- Re: [therightkey] Draft charter for a Transparenc… Paul Lambert
- Re: [therightkey] [perpass] Draft charter for a T… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Leif Johansson
- Re: [therightkey] Draft charter for a Transparenc… Stephen Farrell
- Re: [therightkey] Draft charter for a Transparenc… Paul Lambert
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Phillip Hallam-Baker
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Stephen Farrell
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Warren Kumari
- Re: [therightkey] Draft charter for a Transparenc… Ralph Holz
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie
- Re: [therightkey] Draft charter for a Transparenc… Tom Fitzhenry
- Re: [therightkey] Draft charter for a Transparenc… Stephen Farrell
- Re: [therightkey] Draft charter for a Transparenc… Stephen Farrell
- Re: [therightkey] Draft charter for a Transparenc… Ben Laurie