At 6:12 PM -0800 2/10/12, Kyle Hamilton wrote:
On Thu, Feb 9, 2012 at 3:05 PM, Stephen Kent <[email protected]> wrote:
At 11:29 PM +0100 2/9/12, DIEGO LOPEZ GARCIA wrote:
>...and I do agree with you in that whichever entity making such
assertion (X.509, SAML, JWT·) has to be authoritative for the identity
asserted if you want it to be usable.
I think we are in agreement. CAs that are not authoritative for asserted
identities are as bad as federated trust entities with similar properties.
What are these 'identities' that need to be
asserted with authoritative backing? I hope
you're not just talking about state identities,
even though state identity is an important part
of it. The current crop of authoritative
information CAs are very good at two things:
they know how to authenticate documents, and
they know how to authenticate authority (defined
as 'a state', or 'the government of a state').
They are probably, in that respect, even better
than State Department employees.
I fear that you're not paying close attention to what I said, Kyle.
US Federal don't want to get involved with
providing a service to every citizen. They
would rather foster the development of a private
authentication service industry, and accredit
it. No matter what we might believe is
"correct" from a purely theoretical view, US
Federal Bridge PKI has cross-certified Verisign,
Verizon/Cybertrust, Operational Research
Consultants Inc, and Entrust. On top of this,
aerospace contractors often have their own
certifiers, who are delegated similar Authority.
Ironically, this Authority is currently not
recognized by user software.
yes, the Federal bridge CA is a bad idea, as implemented.
But the reason why I don't want to get hung up
on state identities is because clubs need to
have their own identities, too. Virtual clubs
and forums need to have theirs too, and it's
common practice to fill out forum signup forms
with bogus information because the forums
typically don't actually need real identity
information. Trying to insist that the DN be
matched solely from an authoritative CA violates
this "principle of least privilege", which means
that people can't use authoritative CAs if they
want to protect their personal information from
identity thieves and still communicate over the
network.
I'm not talking about 'state" identities in most cases. Look at the IDs
associated with most of the credentials that you
hold. They include your name and a number. Your
name is not globally unique, but a name plus a
number managed by the authority IS unique,
relative to that authority. This applies to
credit cards, driver's licenses, frequent
traveller cards, and passports.
Steve
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
