Re: confidence in CA
- From: Anne & Lynn Wheeler <lynn@xxxxxxxxxx>
- Date: Mon, 24 Apr 2006 13:53:12 -0600
Sebastian Gottschalk <seppi@xxxxxxxxx> writes:
man Web of Trust
man PGP
note that the original pk-init draft for kerberos
http://www.garlic.com/~lynn/subpubkey.html#kerberos
(used in m'soft infrastructure as well as many other authentication
operations) called for registering public key in lieu of
password ... aka w/o digital certificates
http://www.garlic.com/~lynn/subpubkey.html#certless
then there was a strong lobby to add certificate-based option to the
pk-init specification. i've periodically gotten email apologizing from
the person claiming primary responsibility for certificate-based
option being added to pk-init.
what they realized was that they now have a certification authority
based infrastructure for registering entities ... which has primarily
to do with who they are.
except for the trivial, no-security operations ... they then continue
to require the kerberos based registration infrastructure which
involves both information about who the entity is, but also what
permissions need to be associated with the entity. the counter
argument is that every entity in the possesion of any valid digital
certificate should be allowed unrestricted access to every system in
the world (regardless of who they are and/or what systems are
involved). the trivial example is that everybody in the world has
unlimited access to perform financial transactions against any and all
accounts that may exist anywhere in the world.
in effect, they now tend to have duplicated registration business
processes ... with the certification authority registration
infrastructure tending to be a subset (and duplicate) of the kerberos
permission oriented registration operation. as a result, the digital
certificates issued by the certification authority based operation
have tended to become superfluous and redundant.
there has been a lot written about various serious integrity
issues related to SSL domain name digital certificates
http://www.garlic.com/~lynn/subpubkey.html#sslcert
part of proposals to improve the integrity of the SSL domain name
certification authority operation ... is to have domain name owners
register public keys (with the domain name infrastructure) when domain
names are obtained. then when entities apply for SSL domain name
infrastructures, they are required to be digitally signed. The
certification authority then can do a real-time retrieval of the
on-file public key from the domain name infrastructure to validate the
digital signature on the SSL domain name digital certificate
application (improving the integrity of the SSL domain name
certification process).
the catch-22 for the SSL domain name certification authority industry
is if the certification authority industry can rely on real-time
retrieval of onfile public keys (from the domain name infrastructure)
as the root of their certification and trust ... then why wouldn't it
be possible for everybody in the world to also start performing
real-time retrievals of the onfile public keys (making any use of SSL
domain name digital certificates redundant and superfluous).
one could even imagine a highly optimized SSL variation where any
public key and crypto-opts are piggy-backed on the same domain name
infrastructure response that provided the domain name to ip-address
mapping (totally eliminating the majority of existing SSL setup
protocol chatter)
--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
.
- Follow-Ups:
- Re: confidence in CA
- From: Sebastian Gottschalk
- Re: confidence in CA
- References:
- confidence in CA
- From: Drew
- Re: confidence in CA
- From: Sebastian Gottschalk
- confidence in CA
- Prev by Date: Re: confidence in CA
- Next by Date: Re: confidence in CA
- Previous by thread: Re: confidence in CA
- Next by thread: Re: confidence in CA
- Index(es):
Relevant Pages
|
|
