[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Thinkin' about identifiers...

To: ipsec@tis.com
Subject: Thinkin' about identifiers...
From: graydon hoare <graydon@gabber.multinet.net>
Date: Mon, 6 Jan 1997 15:25:54 -0500 (EST)
Sender: owner-ipsec@ex.tis.com
I've been looking over the material on security topics currently
available, and have become a little concerned. While it's true that
identification and authentication systems are slowly stabilizing
through the analysis of the members of the IETF and security-related
companies, one issue which remains to be dealt with properly (from my
perspective) is that of the naming system. It does not seem effective
to rely on the DNSSEC (basically email) or X.500/LDAP architectures,
because under these systems an identifier is logically connected to an
authority for other, non authentication-related information

This looks like a small problem, but as time goes on it blossoms into
a whole bunch of problems. The key concern is that your name tells
other principals a lot about you as a principal (not just humans --
organizations and software agents too)

If a principal has information about your name, it partially or fully
denies you the option of acting anonymously. In DNS or X.500, having
an obscure or hard-to-remember identifier invalidates the point of the
databases.  But making names easy to remember means associating them
with real-world things, such as the place you work, the place you get
your email, the country you live in etc. Furthermore since DNS and
X.500 are both used to store other identifying information, having
multiple DNS or X.500 names does not preclude the possibility of
someone matching them up (for instance, by given name). While this may
not annoy you much when it comes to junk email or the like, having
control over joinable database keys will make your life a lot more
pleasant as interoperability increases.

And even if you have complete trust in the harmlessness of data
collecting and indexing based on things you don't want to change (your
name) or can't realistically deny (that you got your name in a certain
country), there is this horrible problem of a hierarchical name space
being tied to real world organizational hierarchies. If everyone who
works for the military gets their keys stashed under the mil
hierarchy, guess which machine an attacker is going to try to
compromise? SOA (or "keyserver") for mil. Although you need a
hierarchical name space for a good distributed system, you don't need
to be spelling out what is represented in each branch of the
hierarchy.

Finally, as you may be aware, the dynamic creation and assignment of
DNS names is being intentionally slowed (60 days is a suggested wait
time) in order to make trademark conflicts less troublesome. It is an
admirable effort, but I would prefer for a system responsible for
network-wide authentication to be extremely robust and therefore make
use of any host with any spare CPU cycles for replication and
distribution.

I am considering implementing a portable, low-overhead identification
and certificate server.  It will be similar to OSPF/gated or named,
but will not couple with internet names or addresses internally -- I'm
assuming that many things in the world will be able to store
identifiers without necessarily being "on the net" all the time.  The
design is very clear and modular and has strong controls for cache
consistency and replication. Its records are mobile and reasonably
hard to track, and there is maximum effort put into keeping the
identifiers anonymous. The communication protocol is based on
certificate-exchange protocols previously defined by IETF, and should
work with various authentication systems already in place.

The goal of this implementation is to create a framework in which
strong cryptosystems and authorization schemes can flourish. I am not
smart enough to invent any such schemes myself, but I do see that the
name system, in order to be useful, should be
lowest-common-denominator equipment. If they are kept at the level
they are being proposed at today, the options for speed, efficiency,
and anonymity are severely hampered.

I will make available an RFC as soon as I put one together. It's
pretty straightforward. I am interested in keeping identifiers as "out
of the way" as possible across the entire network. I work for an ISP,
and am all too familliar with the accounting and authorization
nightmare that inconsistent identities beings up.

I am not a C expert, nor a crypto expert, nor a distributed systems
expert. Furthermore I am working full-time, so I really only have my
evenings free. I would appreciate any assistance from others who are
interested in helping.

graydon@pobox.com
Prev by Date: RE: pf_key comments
Next by Date: Re: pf_key comments
Prev by thread: DOI in the Header
Next by thread: RE: Thinkin' about identifiers...
Index(es):
- Main
- Thread