Re: Public Key Infrastructure: An Artifact...

2000-11-27 Thread Eric Murray 

On Mon, Nov 27, 2000 at 10:58:23AM -0800, [EMAIL PROTECTED] wrote:


Hi Lynn!
 
 problem is that consumer don't normally  know that they want to check on a
 particular merchant's CRL entry until they realize that they want to go to that
 merchant site. in general, the consumer's aren't going to want  keep a local
 (usenet) database of all CRL entries (however they are distributed) ... so it is
 more likely the ISP would have to keep all the entries ... pushed into a
 database ... and let the consumer do an online database lookup of the CRL
 entries (effectively the local ISP is keeping cached copy of all entries ... and
 uses usenet as the distribution infrastructure).
 
 sometimes, usenet can take several hrs to a day to propogate ... so the person
 may still want to do an online transaction against the agency that issued a
 certificate
 
 In which case, the local ISP would be considered a "stand-in" ... maintaining a
 negative file ... and returning positive answers if there isn't a match in the
 negative file for the online transaction ... in which case the consumer may
 still want to do another online transactions against the master file (located
 somewhere in the internet).
 
 Given that online transactions are being performed ... then it may even be more
 straightforward to use domain name infrastructure to manage distribution and
 management of cached entries. It has a somewhat better online transaction
 semantics than usenet (already). However, since this is turning into  online
 transaction infrastructure  ... it is then possible to eliminate both the
 certificates and CRLs totally and just use the straight-foward domain name
 infrastructure.


However, caching the revocation data (which DNS would do nicely) means
that there needs to be some way for the relying parties to authenticate
the cached revocation data.  They could authenticate the DNS cache, but
that means trusting all those DNS servers.  More practically
the DNS cache servers could authenticate the data as coming from a trusted
DNS server (which is how DNSSEC works now I beleive).  But that forces
the relying parties to trust that the DNS server that they're getting
the revocation data from has done the authentication.  And it
still doesn't address the issue of Mallet operating an evil DNS-CRL
cache which sends out bogus revocation data.  It also requires
the DNS caches to do the public-key crypto.

But, there's a solution- if the DNS servers and caches are sending out
revocation data which is signed by the real authority for revocation data
(whoever that may be for the application), and the relying parties
do the verification, then there's no security problem with the intermediate
DNS servers/caches.

So, IMHO, signed CRLs serve a purpose.

I agree that a cache system like DNS would be nice for CRL distribution
but I think that a usenet-type system would be good enough in practice.

I don't think that propagation delays are that big a problem in practical
use for TLS sites.  A CRL would only be issued if a merchant has shown
some amount of bad behaviour, or if there's been a key compromise.
For bad behaviour, there would likely be some sort of process
involved in issuing the CRL- one single report of merchant fraud would
not cause an issuer to revoke a cert instantly.  So if a merchant
goes "bad", there's likely to be quite a delay before they're revoked-
notices, appeals, etc.  A few hours taken in the distribution of the CRL
once the issuer's completed the process isn't going to make the problem
noticeably worse.

It'd be nice to have instant CRL distribution for key compromise, but
most sites will have been running with the compromised key for some time
before it's detected.  If a site really cares about security after
a key compromise, it could just go get a new cert and use that (after
fixing the problem that caused the compromise of course).





-- 
  Eric Murray   Consulting Security Architect SecureDesign LLC
  http://www.securedesignllc.comPGP keyid:E03F65E5

Re: Public Key Infrastructure: An Artifact...

2000-11-23 Thread Lynn . Wheeler 




Basically cetificates are an implementation of R/O partial replicated
distributed data that were intended to address availability of information in a
predominately offline environment.

In the SSL server certificates, distribution of CRLs tend to create a problem
for consumers because they aren't likely to want to see 99.%
of the CRLs distributed and/or they aren't online at the time the CRLs are
distributed (and/or if done via email would create a horrible spam issue ...
every possible consumer in the world receiving email CRLs from every possile SSL
server certificate issuing CA).

The other solution is to go online and do real-time checks ... but doing
real-time checks invalidates basic design decision trade-offs associated with
choosing a R/O partial replicated distributed data implementation in the first
place.

A number of other efforts have looked at the trade-offs associated with large
distributed data implementations and have made various different implementation
decisions based on different criteria  requirements. Some  of the partially
replicated data implementations have gone to the trouble  if 1) truely offline,
R/O replicated data that has low change frequency, and possible adverse effects
of dealing with stale data is non-existent or 2) support R/W partial replicated
distributed data with various dictionary implemenations keeping track of the
"current" R/W owner.

However, in the case of both having R/O replicated distributed data and also
requiring online access ... creates a situation where the R/O replicated
distributed data implementation is redundant and superfulous (except in some
scenerios where the packet of R/O replicated distributed data is significantly
larger than the transaction to check on its staleness ... aka multi-megabyte
documents might be an example).

It isn't that you can't have perfect R/O replicated distributed data
implementation if there is also concurrent real-time access to the original data
... but that usually invalidates the design decisions trade-offs that justified
having a R/O replicated distributed data implemenation in the first place.

The degree of redundancy and superfulous becomes more significant as outlined in
the SSL server certificate case ... where 1) in large part SSL server
certificates are justified to address integrity weaknesses in the domain name
infrastructure, 2) SSL server certificate issuing agencies are dependent on the
domain name infrastructure as the authoritative source associated with proofing
information for issuing an SSL server certificate, 3) correcting integrity
weaknesses in the domain name infrastructure (needed by the SSL server
certrificate issuing agencies) by registering public keys with domains names, 4)
said registered public keys can both a) eliminate integrity weaknesses
justifying SSL server certificates and b) be distributed as part of domain name
server real time request to the client ... which then can be used in a much more
efficient SSL protocol implemenation.

A possibly better phrase is that in a large number of cases revokation isn't
practical w/o real-time access to the original data ... but real-time access to
the original data obsoletes the need for revokation (by obsoleting the necessity
for R/O partial data replication which might require revokation).

The issue in many scenerios  isn't that revokation can't work ... it can work if
you have real time access to the original data  ... which obsoletes the
requirement for R/O partial data replication which in turn obsoletes the
requirement for revoking R/O partial data replication. The ideal solution for
revokation is somehting of a catch-22 ... the ideal solution for revokation also
removes the requirement for revokation (somewhat analogous to the catch-22 for
solving the problem that SSL server certificate issuing agencies have with
domain name server infrastructure integrity issues ... the solution is also the
seed for obsoleting the need for issuing SSL server certificates).






Mark Scherling [EMAIL PROTECTED] on 11/23/2000 09:24:51 AM

To:   Bram Cohen [EMAIL PROTECTED]
cc:   Lynn Wheeler/CA/FDMS/FDC@FDC, "Arnold G. Reinhold"
  [EMAIL PROTECTED], Ben Laurie [EMAIL PROTECTED],
  [EMAIL PROTECTED], [EMAIL PROTECTED],
  [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject:  Re: Public Key Infrastructure: An Artifact...



I would like to get further information as to why you don't think revocation
does
not work?  I'll admit that in the case of the revocation of Sun's certificates,
it
was very apparent that the notification process was weak.  The other piece, the
browser checking of expired/revoked certificates is non-existent but if you
properly
set up your application, it "should" check the revocation status of both the CA
certificate and the subscriber's certificate.

Your thoughts?


Bram Cohen wrote:

 On Wed, 22 Nov 2000 [EMAIL PROTECTED] wrote:

  the other scenerio that some certificatio

Re: Public Key Infrastructure: An Artifact...

2000-11-23 Thread Paul Crowley 

[EMAIL PROTECTED] writes:
 The other solution is to go online and do real-time checks ... but
 doing real-time checks invalidates basic design decision trade-offs
 associated with choosing a R/O partial replicated distributed data
 implementation in the first place.

Have you looked at the design of SPKI CRLs?  I think there are
possibilities in there that address the difficulties you raise.
-- 
  __
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/

Re: Public Key Infrastructure: An Artifact...

2000-11-20 Thread Tim May 

At 11:40 AM -0800 11/20/00, Ray Dillinger wrote:
On Mon, 20 Nov 2000 [EMAIL PROTECTED] wrote:

as pure asside ... any SSL server certificate signed by any CA
  in my browswer's CA list is acceptable.

my broswer makes no distinction on which CA signed what ...
  and/or even what they signed. If I get a certificate signed
  by any CA in my browswers list that says foo.bar ...


I think that one of the major problems with PKI is the "binary-ness"
of it.  Everything gets shoveled into "acceptable" or "not acceptable"
at the end of the process, but I don't think it's appropriate in
trust decisions to have stuff shoveled into "acceptable" and "not
acceptable" piles at the very beginning.

We can't give a numeric score to the degree of trust we place in a
CA.  There's no protocol for exchanging information about breaches
in trust regarding particular certs, so we can't have a policy for
auto-updating our trust model.

These problems with binary trust in hierarchical models ("trust this 
cert because the highest node said to trust it") have been dealt with 
many, many times.

Cf. my own articles on probabalistic networks, belief networks, and 
Dempster-Shafer measures of belief.

I don't even see how thoughtful people can continue to believe this 
is still a debatable issue. Those pushing X.509 and similar 
hierarchical systems have their own statist axes to grind...and they 
like the commission they get off of each of the King's certs.


--Tim May



-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)

Re: Public Key Infrastructure: An Artifact...

2000-11-20 Thread Bram Cohen 

On Sun, 19 Nov 2000 [EMAIL PROTECTED] wrote:

  When the user goes to www.amazon.com, they get a plaintext http redirect
  to amazon.hackeddomain.com, which does check.
 
 Still confused...
 
 The original connection to www.amazon.com is an SSL connection, right?
 We are following an https: URL?  (Otherwise, SSL would not even come
 into the picture.)

No, the attacker interferes with the very first connect to www.amazon.com,
probably at the DNS level, and that's almost always done plaintext.

-Bram Cohen

Re: Public Key Infrastructure: An Artifact...

2000-11-16 Thread Greg Broiles 

On Thu, Nov 16, 2000 at 03:53:28PM -0800, Ed Gerck wrote:
  http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
 
  Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the
  Information Society
 
  Abstract
 
  It has been conventional wisdom that, for e-commerce to fulfill its
  potential, each party to a transaction must be confident in the identity of
  the others.
 
 This is the law for commerce, except for cash transactions of non-controlled
 goods. Firearm sales usually require proof of identity (at least) even for a
 cash transaction.

That's a matter of state law - Federal law doesn't (yet) regulate firearm
transactions between two residents of the same state where neither is
licensed federally as a firearms dealer, so long as the firearms themselves
aren't specially controlled (like Class 3 full-auto weapons, or short-
barreled rifles/shotguns, etc). 

Nevertheless, the main point above is wrong, too - commercial law certainly
does NOT require parties to be confident about the identity of counterparties.
In most circumstances, identity is irrelevant; and even in disputed 
transactions, it's very rare that identity becomes crucial. Further, the
identity of counterparties isn't fixed or decided at the time a contract is
formed - one or more of the participants may later want to correct, amend,
or restate the contractual listing of the parties, to include or exclude
parties who are thought to have greater or fewer assets, or greater or
lesser culpability, in order to enhance their chances for successful
litigation. 

There's a persistent superstition among technologists who do ecommerce
work that knowing someone's identity is necessary or sufficient to 
successfully litigate against them - neither side of that assumption is
true. It can be the hardest thing in the world to successfully serve 
a summons and complain on a well-known party - cf. the ligitation against
the Scientology head, whose name escapes me at the moment. On the other
hand, big companies angry about message-board postings have been filing
complaints very successfully against unknown (or pseudonymously named)
entities, much to the aggravation of people who believe that their 
marginally greater understanding of technology makes them somehow 
unreachable or unaccountable.

Even assuming that someone is successfully served with a complaint, 
that's a long way from winning a lawsuit, which is a long way from
collecting on a judgement.

Traditional non-legal means of enforcing contracts - like adding the
person to a blacklist of "naughty debtors" doesn't depend on any
sort of proof of identity or proof that a contract ever existed, or
was breached - it's easy (if you're a commercial entity of at least
moderate size) to add people you believe owe you money to the credit
reporting agencies' databases, whether your target is an individual or
a business. The reporting agencies require no proof at all - they'll
accept the creditors' representations about the alleged debt, and
proceed from there. 

Identity - and complicated theoretical proofs of identity - are
not especially important in commercial law or litigation. It's relatively
easy to follow the paths of money and/or goods in commercial 
transactions - and where it's not, the likelihood of recovery is
slim even if the counterparty is well-identified, so litigation
is unlikely. 

Identity does have the advantage of being a very familiar idea, so
it's easy to generate and keep certificates about it, which give
counterparties a nice warm feeling that they're doing something
about the risks they face in a transaction. That feeling is 
unrelated to what's actually happening, but it does serve to lubricate
the wheels of commerce.

--
Greg Broiles [EMAIL PROTECTED]
PO Box 897
Oakland CA 94604

Re: Public Key Infrastructure: An Artifact...

2000-11-16 Thread Ed Gerck 



Greg Broiles wrote:

 On Thu, Nov 16, 2000 at 03:53:28PM -0800, Ed Gerck wrote:
   http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
  
   Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the
   Information Society
  
   Abstract
  
   It has been conventional wisdom that, for e-commerce to fulfill its
   potential, each party to a transaction must be confident in the identity of
   the others.
 
  This is the law for commerce, except for cash transactions of non-controlled
  goods. Firearm sales usually require proof of identity (at least) even for a
  cash transaction.

 That's a matter of state law - Federal law doesn't (yet) regulate firearm
 transactions between two residents of the same state where neither is
 licensed federally as a firearms dealer, so long as the firearms themselves
 aren't specially controlled (like Class 3 full-auto weapons, or short-
 barreled rifles/shotguns, etc).

That is why I wote "usually" -- it may vary.

 Nevertheless, the main point above is wrong, too - commercial law certainly
 does NOT require parties to be confident about the identity of counterparties.

So, you think that  credit-cards deals would not need names or any real-life id, just 
assets?

Surely, the merchant gets paid regardless, even  if you use a false name.  But this is 
not the
end of id fraud. The bank still goes after the money...and uses the law against 
fraudulent
practices to enforce the cardholder agreement, or criminal statues. If Mr. X uses his 
wife's
credit-card, Mr. X is technically committing id fraud, and wire-fraud. Of course it 
works most
of the time... But when it does not, and someone comes enforcing, someone will ask, 
did you
Mr X, uses Mrs X's credit-card, and represent yourself thereby as Mrs X?

Cheers,

Ed Gerck

Re: Public Key Infrastructure: An Artifact...

2000-11-16 Thread Mac Norton 

Of course not. Unilateral offers can be made to a defined class
of persons and accepted by action thereon. An old principle, but
valid still.
MacN

On Thu, 16 Nov 2000, Greg Broiles wrote:
  
   It has been conventional wisdom that, for e-commerce to fulfill its
   potential, each party to a transaction must be confident in the identity of
   the others.

Re: Public Key Infrastructure: An Artifact...

2000-11-16 Thread Ed Gerck 



Mac Norton wrote:

 Of course not. Unilateral offers can be made to a defined class
 of persons and accepted by action thereon. An old principle, but
 valid still.

Yes but the problem faced by e-commerce is what happens when it
fails.  So, while I agree with you that  it is not true that "for e-commerce to
fulfill its potential each party to a transaction must be confident in the identity of
the others", the practice in e-commerce is that security is based on breaking
your privacy! And this is not only in terms of credit checks but also in covert
background checks teaming up with law enforcement (as candidly admitted by
eBay management in a meeting in DC some months ago).

Cheers,

Ed Gerck

 MacN

 On Thu, 16 Nov 2000, Greg Broiles wrote:
   
It has been conventional wisdom that, for e-commerce to fulfill its
potential, each party to a transaction must be confident in the identity of
the others.

Re: Public Key Infrastructure: An Artifact...

2000-11-16 Thread Greg Broiles 

On Thu, Nov 16, 2000 at 08:11:25PM -0600, Mac Norton wrote:
 
 Of course not. Unilateral offers can be made to a defined class
 of persons and accepted by action thereon. An old principle, but
 valid still.
 MacN
 
 On Thu, 16 Nov 2000, Greg Broiles wrote:
   
It has been conventional wisdom that, for e-commerce to fulfill its
potential, each party to a transaction must be confident in the identity of
the others.

The quoted text isn't mine - but, to further expand on Mac's comments,
it's not even necessary that the offeror's identity be clear to potential
acceptors. It's quite likely that many people and organizations are 
wrong about the assumptions they make about identity - you may think
you've bought fast-food from McTacoKing, but it turns you you purchased
food from an out-of-state corporation that's a franchisee of another
out-of-a-different-state corporation who licenses out their recipes and
trademarks to different people. 

This ambiguity may go both directions - the local McTacoKing may 
purchase services (like, say, carpet cleaning, or drain cleaning) from
yet another locally-held but distantly-registered corporation who's just 
a franchisee/licensee of widely-recognized trademarks in those fields.

It's easy to be sloppy and say that transaction represents a contract
between McTacoKing and DrainSuckers - but that's not true at all. 

It's rare for people to even bother asking about niceties like business
form (corporation vs. LLC vs. partnership vs. whatever), much less
actually bother to figure out whether what's represented is really 
true - nobody bothers to call the Secretary of State and ask if the
business called "X, Inc." really is a corporation, really is registered,
really does have officers, etc., until people start using the words
"million" or "billion". Trillions of dollars in small transactions
take place without any attention at all paid to identity, in a 
legally significant sense - people do pay attention to trademarks, 
but those have only a slight relationship to the legal entitites 
involved.

Even moderately sized-organizations find it useful to divide their
operations into a number of legal entities, which may have common
owners or have parent/subsidiary relationships - but invariably they
hide that complexity behind a nice shiny trademark, because it's 
just distracting for people to think that "barnesandnoble.com" isn't
really the same company as the people who run the bookstore down
the street - or that the UPS who ships the books that the online
entity sells you isn't the same UPS who sells the online entity the 
insurance on the safe delivery of that package. It's distracting
to think that the entity which places a taxicab company ad in the
yellow pages (which have the same logo as the local phone company, 
but are actually a separate corporation) isn't paid for by the
corporation which owns the taxi which drives customers around, which
isn't the same as the person who's driving, and may not even be
the same company as the one which holds the taxi medallion. 

And who wants to think about the (lack of) identity between different
banks and insurance companies who operate under the same trademarks
and in the same office space? If you've got a savings account in
a Bank of America branch in California and a checking account in
a Bank of America branch in Oregon and a mutual fund account in
a Bank of America branch in Oregon, how many different entities have
you opened accounts with? 1? Bzzt! 3, or at least that was true 
before Congress clobbered the Glass-Stegall Act last year.

Does that bother the people who cheerfully issue domain names and
X.509 certs to various of these different entities? Nope. Does it
bother consumers? Nope. Nobody cares, just like nobody cares that
individual identities are pretty fluid, too, given that one name
can be reused across many different meat things, and a single meat
thing may, perfectly legally, use a number of different identies.
The relationship between meat-world entities (including their
cousins, the entities created by registration with governments or
by mutual agreement of participants) and text strings like 
"John Smith" or "Bill Clinton" or "Bank of America" is 
not one-to-one but many-to-many, and that's not going to change. 
The legal system is accustomed to this ambiguity, and deals with
it as necessary.

Efforts to "fix" this and force people or corporations to identify
in some enforceable way the underlying legal entities involved in
a transaction are doomed to failure. The flexibility inherent in
the ambiguity is important to getting things done - it's not a
bug, it's a feature.

--
Greg Broiles [EMAIL PROTECTED]
PO Box 897
Oakland CA 94604

Re: Public Key Infrastructure: An Artifact...

2000-11-16 Thread Bram Cohen 

On Thu, 16 Nov 2000 [EMAIL PROTECTED] wrote:

 Bram Cohen writes:
  In the vast majority of cases, preventing man in the middle attacks is a
  waste of time.
 
 In the sense that, in the vast majority of communications, there is no
 man in the middle attack being mounted?

Yes.

 Couldn't the same thing be said of cryptography, since in the vast
 majority of cases there is no eavesdropping?

Yes, but it's a less vast majority than the ones for which man in the
middle is happening.

 The point in both cases is that if you construct a protocol which has
 weaknesses, eventually people may begin to exploit them.

And if you build a protocol which is a pain to use, noone will use it.

-Bram Cohen

Re: Public Key Infrastructure: An Artifact...

2000-11-14 Thread Lynn . Wheeler 




As an aside ... AADS (http://www.garlic.com/~lynn/ ) relies on existing business
processes that provide secure bindings in account records ... just adding public
key  digital signature to existing authentication processes for
non-face-to-face and/or face-to-face transactions (i.e. the meaning of what is
in the account bindings continues to be what the business processes have defined
those meanings to be).

existing e-commerce is straight forward because it operates almost totally
within existing account-based business processes ... and the business
transactions tend to include more complex bindings from the acocunt records
(than just authentication) ... things like real-time credit-limit, open-to-buy,
running totals, month-to-date and/or year-to-date activity, etc.

the original PKI target from the early '80s for offline email authentication was
a problem since it mostly any kind of authentication binding processes.





"R. A. Hettinga" [EMAIL PROTECTED] on 11/11/2000 11:25:35 AM

Please respond to "R. A. Hettinga" [EMAIL PROTECTED]

To:   [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Digital
  Bearer Settlement List [EMAIL PROTECTED]
cc:(bcc: Lynn Wheeler/CA/FDMS/FDC)
Subject:  Public Key Infrastructure: An Artifact...



http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html


Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the
Information Society

Abstract

It has been conventional wisdom that, for e-commerce to fulfill its
potential, each party to a transaction must be confident in the identity of
the others. Digital signature technology, based on public key cryptography,
has been claimed as the means whereby this can be achieved. Digital
signatures do little, however, unless a substantial infrastructure is in
place to provide a basis for believing that the signature means something
of significance to the relying party.

Conventional, hierarchical PKI, built around the ISO standard X.509, has
been, and will continue to be, a substantial failure. This paper examines
that form of PKI architecture, and concludes that it is a very poor fit to
the real needs of cyberspace participants. The reasons are its inherently
hierarchical and authoritarian nature, the unreasonable presumptions it
makes about the security of private keys, a range of other technical
defects, confusions about what it is that a certificate actually
authenticates, and its inherent privacy-invasiveness. Alternatives are
identified.
--
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".