CDR: Public Key Infrastructure: An Artifact...
the current SSL domain name infrastructure supposedly exists because of issues with trusting the domain name infrastructure ... except the SSL domain name certificate issuer has to trust the same (untrusted) domain name infrastructure when issuing a certificate (i.e. the SSL domain name certificate is no better than the authentication authority that the certificate authority has to rely on as the final arbitrator of domain name ownership). one of the integrity issues with the domain name infrastructure ... is that domain names have been hijacked ... once hijacked ... you can go to certificate authority and get a certificate with that domain name (and the certificate authority will check with the domain name system and confirm that the requester owns the domain name). for more ... see merchant comfort certificate thread at http://www.garlic.com/~lynn/aepay4.htm specific news clipping on hijacking http://www.garlic.com/~lynn/apay4.htm#dnsinteg1 so, the scenario goes that to fix various exposure & integrity risks to SSL domain name certificate infrastructure, the domain name infrastructure that the certification authority relies on needs to have its integrity fixed. the proposal for fixing the domain name infrastructure (on which the SSL domain name certificate issuing authority relies on as the authoritative reference for domain names) is to register public keys at the same time domain names are registered. now the interesting catch-22 is that SSL domain name certificates were in part justified because of weaknesses in the integrity of the domain name infrastructure ... however in order to issue those same SSL domain name certificates, the SSL domain name issuing authority (certificate authority) has to rely on the same domain name infrastructure (that everybody is being told that you can't really trust because of integrity problems ... aka everybody isn't to rely on domain name infrastructure ... because it can't be trusted ... so buy a SSL domain name certificate .... however the SSL domain name certificate issuing certification authority is allowed to rely on the same domain name infrastructure for its authoritative information. The SSL domain name certificate issuing certification authority just isn't telling everybody that it has to reference the domain name infrastructure in order to validate a request for an SSL domain name certificate. I would call that ironic??? Now for even more ironic. In order to fix various integrity exposures in the SSL domain name certificate ... integrity exposures in the domain name infrastructure have to be fixed (i.e. integrity is nominally no stronger than the weakest link). However, fixing integrity exposures in the domain name infrastructure (in order to fix various integrity exposures in SSL domain name certificates) ... can make those certificates superfluous, redundant and unnecessary. Now the issue isn't to use either SSL domain name certificates or domain name infrastructure. Since SSL domain name certificates issuance relies on the domain name infrastructure for its authoritative information ... then the infrastructures that the SSL domain name certificates issuance certification authority relies on has to have its integrity fixed. Now, I considered this somewhat ironic ... that in order to fix a integrity dependency that SSL domain name certificate issuance has ... the fix also eliminates much of the original justification for SSL domain name certificates (i.e. weaknesses in the domain name infrastructure) as well as making SSL domain name certificates superfluous and redundant. SSL domain name certificates provide a binding between public key and domain name. However, if public keys were registered with domain names in the domain name infrastructure ... the purpose of which was to fix various integrity problems in the domain name infrastructure and allow the domain name infrastructure to be trusted by the SSL domain name certificate issuing certification authority ... then the integrity of the domain name infrastructure can be fixed for everybody ... eliminating the purpose of the SSL domain name certificate (aka integrity problems with the domain name infrastructure). Furthermore, if public keys were registered with domain names, then the domain name infrastructure could serve up real-time bindings of public keys and domain names (as part of the domain name lookup process). If a SSL protocol ... when it asked the domain name system to resolve a domain name ... could set a flag and asked that both the resolved domain name and the registered public key be returned ... the efficiency of the SSL protocol would be improved. All in all 1) fixing integrity of domain name infrastructure (so you can trust SSL certificates) eliminates much of the requirement for SSL certificate (i.e. needed because of integrity problems in the domain name infrastructure 2) fixing integrity of domain name infrastructure with the registration of public keys and making that information public as part of standard domain name infrastructure provides a trusted binding between domain name and public key ... making the SSL domain name certificate superfluous and redundant. Now as to the other kind of certificate. My wife and I were hired by a financial services company in 1994 to work with a small client/server startup on the peninsula that wanted their server to be able to interface to the financial transaction infrastructure. One of the things that I eventually specified as part of that infrastructure was a consumer oriented certificate (along the lines of BBB, consumer reports, etc). However, the whole thing was in its infancy and they were having enuf other problems creating infrastructures ... so it has yet to happen. Two people my wife and I worked with at the startup are referenced in the following: http://www.garlic.com/~lynn/aadsmore.htm#dctriv random other refs: http://www.garlic.com/~lynn/aadsmore.htm#client3 http://www.garlic.com/~lynn/aadsmore.htm#client4 http://www.garlic.com/~lynn/96.html#32 http://www.garlic.com/~lynn/2000b.html#18 http://www.garlic.com/~lynn/95.html#13
Lynn.Wheeler@firstdata.com wrote:
the current SSL domain name infrastructure supposedly exists because of issues with trusting the domain name infrastructure ... except the SSL domain name certificate issuer has to trust the same (untrusted) domain name infrastructure when issuing a certificate (i.e. the SSL domain name certificate is no better than the authentication authority that the certificate authority has to rely on as the final arbitrator of domain name ownership).
one of the integrity issues with the domain name infrastructure ... is that domain names have been hijacked ... once hijacked ... you can go to certificate authority and get a certificate with that domain name (and the certificate authority will check with the domain name system and confirm that the requester owns the domain name).
The difference is that a CA _also_ binds the certificate to a legal entity. When the fraud is discovered, the identity of the fraudster is, too. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
At 12:08 PM +0000 11/19/2000, Perry commented:
[I see you've never paid attention to how easy it is to get a certificate, Ben. I suspect I could get one in the name of any company with about 20 minutes of unskilled forgery. The level of checking done is trivial. This wouldn't be a problem except for the fact that all CAs disclaim any and all liability for practical purposes. --Perry]
Perry's last sentence gets to the heart of the matter. If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away. The CAs would have a strong interest in clarifying the semantics of certificates and would choose technology and verification methods that optimized the risk vs cost (including difficulty of use) tradeoff. I believe the reason this has not happened yet is that various business interests perceive an opportunity to get the government to shift all risk to the consumer by snowing legislators with crypto mumbo-jumbo. That is an even cheaper solution from the business interests' perspective. Arnold Reinhold
At 12:10 PM -0500 on 11/20/00, Arnold G. Reinhold wrote:
If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away.
Right. Like Ellison (and Metzger :-)) have said for years now, the only "assertions" worth making are financial ones. "Identity", biometric/meat, or otherwise, is only a proxy for asset protection anyway. I claim you can do this on the net without the current mystification of identity that exists in the financial system, using bearer asset cryptography, among other things, but that's another discussion altogether. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Mon, 20 Nov 2000, R. A. Hettinga wrote:
At 12:10 PM -0500 on 11/20/00, Arnold G. Reinhold wrote:
If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away.
Right.
Bonding would not fix this problem. It only moves the question of identity and responsibility to the bonding agency. You've still solved nothing.
Like Ellison (and Metzger :-)) have said for years now, the only "assertions" worth making are financial ones. "Identity", biometric/meat, or otherwise, is only a proxy for asset protection anyway.
Bullshit. Identity is a asset as much as a digital balance in my banks computer. This is a false distinction.
I claim you can do this on the net without the current mystification of identity that exists in the financial system, using bearer asset cryptography, among other things, but that's another discussion altogether.
But how do you certify the bearer's identity without a CA or reverting to something along the lines of the PGP web-of-trust? Who writes and certifies the bearer algorithms? ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Mon, Nov 20, 2000 at 02:18:42PM -0600, Jim Choate wrote:
Real-To: Jim Choate <ravage@ssz.com>
On Mon, 20 Nov 2000, R. A. Hettinga wrote:
At 12:10 PM -0500 on 11/20/00, Arnold G. Reinhold wrote:
If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away.
Right.
Bonding would not fix this problem. It only moves the question of identity and responsibility to the bonding agency. You've still solved nothing.
It's not a bond; and it doesn't solve the problem directly, but moves responsibility for solving the problem out of the end users' domain and into the CA's (or guarantor's) domain, where their greater resources and experience (and liability) will help them solve the problem in the most efficient and economic fashion. It's like putting prices on corporate or government bonds - you can look at the price of the bond to get an idea of the confidence people have in the likelihood that the underlying obligation will be repaid. Certificates which are priced on a risk-sensitive basis - or whose face value (or guarantee value, or whatever) is risk-sensitive allow people (and their computers) to immediately see both their own risk exposure in concrete terms, and to have an idea of what the market (including sophisticated participants) thinks about the risk. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
At 1:25 PM -0500 11/20/00, R. A. Hettinga wrote:
At 12:10 PM -0500 on 11/20/00, Arnold G. Reinhold wrote:
If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away.
Right.
Like Ellison (and Metzger :-)) have said for years now, the only "assertions" worth making are financial ones. "Identity", biometric/meat, or otherwise, is only a proxy for asset protection anyway.
I claim you can do this on the net without the current mystification of identity that exists in the financial system, using bearer asset cryptography, among other things, but that's another discussion altogether.
And I have been asserting for years that _belief_ is all that matters. Or, more carefully put, that all issues of lawyers, backing by gold, financial instruments, escrow, bonds, etc. are issues of "How is belief affected?" One can think of many examples of where issues of identity, home address, name of lawyers, credit ratings, amount of a bond, etc. are really issues of belief in some outcome. One _believes_ that someone with a verifiable home and business address is more likely to be collected from (in a transaction or legal judgement) than someone with only a pseudonym. And one _believes_ that someone one has met is, for all intents and purposes, who he says he is (or, rather, that a key he represents to be his wills serve as adequate I.D. for future transactions.) A financial bond, or guarantee, is only one aspect of belief. Perhaps an important one, but only a subset. Belief is all. "All cryptography is about belief." --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
On Mon, 20 Nov 2000, Arnold G. Reinhold wrote:
Perry's last sentence gets to the heart of the matter. If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away.
They aren't going to. -Bram Cohen
At 1:59 PM -0800 11/20/2000, Bram Cohen wrote:
On Mon, 20 Nov 2000, Arnold G. Reinhold wrote:
Perry's last sentence gets to the heart of the matter. If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away.
They aren't going to.
-Bram Cohen
It's still early in the game to be so certain. But if you are right, that in it self is an indictment of PKI. If there really is a market for trust establishment and a form of PKI is the low cost producer of trust, then someone should be able to make money by using their expertise to assemble a technology suite and sell trust insurance based on the spread between the risk perceived by the market and what they know to be a lower risk. If such services never develop, it either means there is no market or PKI doesn't have enough economic impact to cover the costs of starting such a business. Arnold Reinhold
On Wed, 22 Nov 2000, Arnold G. Reinhold wrote:
It's still early in the game to be so certain. But if you are right, that in it self is an indictment of PKI. If there really is a market for trust establishment and a form of PKI is the low cost producer of
But there is no market for 'trust'. What the market wants is 'proof'. They're not 1-to-1. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
participants (9)
-
Arnold G. Reinhold -
Arnold G. Reinhold
-
Ben Laurie -
Bram Cohen -
Greg Broiles -
Jim Choate -
Lynn.Wheeler@firstdata.com -
R. A. Hettinga -
Tim May