I think this is fundamentally an issue of the history of the DNS and X.500 architecture. Combined with social factors since 1996 when the original NSF Directory and DNS grant money ran out, and domains (which had been free) became this wild west name space, which has reached some predictable level of insecurity. Inevitably the classic solutions are brought out and rejected. I think the rapid growth of the Internet has been achieved in terms of IP over everything, but security is always going to be a work in progress.
People who understand X.509 versions understand that the original version was highly integrated with the Directory, which provides its own level of assurance. It was also stifling. However we are seeing a renewed interest in directory variants around the issue of lowering US healthcare processing overhead. Using the Internet has been on the agenda since 2004. There’s a long thread here dating back to the 1980’s regarding naming, resulting in the fields that are eventually defined in RFC 5280. The ANSI registration component is permanent and perpetual. Like most elements of the Internet that remain insecure, it’s a matter of ubiquitous access (domains are cheap, it costs more money to validate a business or organization, so the less secure solution is adopted) or other solutions like pinning are tried. I would be open to partnering with Mozilla and doing this using X.500, but the ANSI name and OID fee is high. Which is the case also with NIST LOA 3 certificates. I’m certainly open to any ideas to make this work. Right now there is a governance gap of a organization equivalent to ICANN that is addressed by various industry organizations that do well known certificate cross certification at the Federal Bridge and European trust anchors. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
