On Thu, Feb 9, 2012 at 3:05 PM, Stephen Kent <[email protected]> wrote:
At 11:29 PM +0100 2/9/12, DIEGO LOPEZ GARCIA wrote:>...and I do agree with you in that whichever entity making such assertion (X.509, SAML, JWTŠ) has to be authoritative for the identity asserted if you want it to be usable.I think we are in agreement. CAs that are not authoritative for asserted identities are as bad as federated trust entities with similar properties.
What are these 'identities' that need to be asserted with authoritative backing? I hope you're not just talking about state identities, even though state identity is an important part of it. The current crop of authoritative information CAs are very good at two things: they know how to authenticate documents, and they know how to authenticate authority (defined as 'a state', or 'the government of a state'). They are probably, in that respect, even better than State Department employees. US Federal don't want to get involved with providing a service to every citizen. They would rather foster the development of a private authentication service industry, and accredit it. No matter what we might believe is "correct" from a purely theoretical view, US Federal Bridge PKI has cross-certified Verisign, Verizon/Cybertrust, Operational Research Consultants Inc, and Entrust. On top of this, aerospace contractors often have their own certifiers, who are delegated similar Authority. Ironically, this Authority is currently not recognized by user software. But the reason why I don't want to get hung up on state identities is because clubs need to have their own identities, too. Virtual clubs and forums need to have theirs too, and it's common practice to fill out forum signup forms with bogus information because the forums typically don't actually need real identity information. Trying to insist that the DN be matched solely from an authoritative CA violates this "principle of least privilege", which means that people can't use authoritative CAs if they want to protect their personal information from identity thieves and still communicate over the network. -Kyle H
Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
