Re: Proposal for a new PKI model (At least I hope it's new)

From: Bruce Stephens (bruce+usenet_at_cenderis.demon.co.uk)
Date: 09/06/03 

Date: Sat, 06 Sep 2003 01:09:51 +0100

George Ou <533george_ou234@netzero234.com> writes:

> On Fri, 05 Sep 2003 12:35:21 +0100, Bruce Stephens
> <bruce+usenet@cenderis.demon.co.uk> wrote:

[...]

>>Why should the whole world trust certificates that I (or rather, that
>>a computer that's somewhat under my control) issue?
>>
>>Why should I trust a certificate that some small organisation in
>>Australia issued?
>>
>>If we should trust these certificates, then presumably it's clear that
>>we should trust them only in a limited sort of way, for limited
>>purposes. (Just as we should do for existing certificates issued by
>>CAs, of course.)
>
> If the official name space root CA for ".au" issues a master domain
> level certificate to a small organization's PKI server in australia
> for "kangeroo.org", it is a pretty good bet (even if only email
> challenges were used for authentication) that indeed the rightful
> owners of "kangaroo.org" are the owners of that digital certificate.

True. That's roughly what we have now: a few dozen CAs who can issue
certificates to anybody. So thus far, nothing's different except that
you're reducing competition.

> It is up to you how you trust any signatures from kangaroo.org's PKI
> server. The fact that it had authenticated to the root .au CA
> server helps you make that determination yourself, just like you
> trust E-Commerce sites now that Verisign is not BSing you.

It's not just a question of whether Verisign is deliberately doing
something wrong---it's about their procedures and security. How
capable are they of verifying identity (and presumably someone local
would be able to do that better, or at least more cheaply, so that's
where your idea would be better)? How well are they able to prevent
unauthorised certificates from being issued? (i.e., how carefully to
they vet their employees, and how good is their security?)

And for the second part, you're making things worse: firstly there are
just more organisations and more people involved, worldwide.
Secondly, while just about all certificates are issued by Verisign,
Verisign has a hell of a reputation to keep up. So (even without
checking), I can be pretty sure they're going to be careful, because
*everyone* will know when they slip up.

> If you wouldn't trust the PKI server of kangaroo.org, why then would
> you trust the Internic to forward you to kangaroo.org's
> authoritative DNS server? Why now would you believe kangaroo.org's
> DNS server? You trust DNS don't you?

You've lost me. The major part of of the point of certificates in
HTTPS is precisely so I don't need to trust DNS: my browser performs
server authentication. Generally speaking I do trust DNS. However,
if you're suggesting we definitely should trust DNS, then web sites
don't need certificates at all.

> The PGP folks certainly put all their trust in DNS.

Nonsense.

> This is simply an extension of the existing commercial PKI model.

This is already possible. The catch is that it's expensive to buy a
certificate which will allow you to issue more certificates. So how
are you going to make that cheaper?

(Actually, it's easy to create certificates---they're just blobs of
bits, after all. OpenSSL can do it straightforwardly. The problem is
the collection of pre-trusted root certificates that get shipped with
common user software.)

> What makes this possible is the name constraint feature in RFC 3280.
> With out it, you would have to trust kangaroo.org to sign for
> anything under the sun which is obviously silly. But adding the
> granularity such that you only trust kangaroo.org's PKI server to
> sign email addresses and host names that end in kangaroo.org is very
> reasonable.

And what makes it infeasible is the current commercial reality of the
PKI world.

[...]

Relevant Pages