[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-spki-cert-theory-00.txt

On Mon, 1 Dec 1997 Internet-Drafts@ns.ietf.org wrote:

-> A New Internet-Draft is available from the on-line Internet-Drafts
-> directories.  This draft is a work item of the Simple Public Key
-> Infrastructure Working Group of the IETF. 
-> 	Title		: SPKI Certificate Theory
-> 	Author(s)	: B. Lampson, R. Rivest, B. Frantz, C. Ellison, 
->                           B. Thomas, Y. Ylonen
-> 	Filename	: draft-ietf-spki-cert-theory-00.txt
-> 	Pages		: 30
-> 	Date		: 26-Nov-97

I think that the document has serious flaws and should be ammended, as
well as the name SPKI no longer reflects the result of the merge with
SDSI. Specifically, my comments are given below for each point.

->    The SPKI Working Group has developed a standard form of digital
->    certificate that is both more general and simpler than what is
->    traditionally considered to be a certificate.  Since the word
->    ''certificate'' was first used by Loren Kohnfelder in 1978 to refer to
->    a signed record holding a name and a public key, it has been assumed
->    that the only purpose of a certificate has been to bind a public key
->    to a globally unique name and therefore to a person.  This binding
->    was assumed both necessary and sufficient for security.

This last phrase is wrong, because X.509 (the standard alluded to, and
mostly used) does not say so or assumes it. Here, there are actually three
entities and respective bindings: key, name, person.  The definitions of
key, name and their binding are handled by X.509, whereas the binding of
either with a person (and a person's qualifications) are handled by the
CA's CPS -- which is outside the scope of X.509. The same happens for PGP.

Thus, current certificates do not assume that such bindings (plural, here) 
are necessary and sufficient for security -- on the contrary, certificates
such as X.509 and PGP just provide for a security framework to be reached
as a function of the various CPSs and how they are to be interpreted by
each verifier. 

Further, X.509 (and PGP) clearly lay out several purposes besides name
binding for certificates, as given by the extensions in X.509v3, including
authorizations such as the possibility to be used as a root-cert for
signing other certs, etc. 

->    The working group has found that the creation of a globally unique
->    name is neither necessary nor sufficient for Internet security or
->    electronic commerce.  In fact, use of global names can introduce a
->    security flaw.  

This is plain wrong. If globally unique names can be defined then it is a
sufficient condition (together with other suitable conditions for the
public-key, etc.) to uniquely define the agents of actions, globally. This
has nothing to do with the fact that a globally unique name cannot be
defined with current technology, in the general case. In fact,
counter-paraphrasing the last phrase above, use of global names (that
deserve the name) could never introduce security flaws! 
-> Therefore, we define certificate forms for binding
->    local names to keys (to retain security while offering the
->    convenience of meaningful names) and for assigning authorizations to
->    keys (to provide adequate information for real applications).  These
->    forms can be used alone or together.

Of course, local names can only be locally meaningful and must be always
isolated from any global context (where they may even collide) -- which
makes them useless in a world PKI.

To further discuss the issues, I assume that for the SPKI proposal there
is no identity other than the key, so there is no entity authentication,
just key authentication and all actions are performed in cyberspace. For
SDSI, I assume that there is no identity of meaning to anyone other than
to the CA, so all entities's names are only locally valid and all actions
are again performed in cyberspace. 

So, as SPKI was merged with SDSI, SPKI had indeed to consider all names to
be local -- which essentially: 

(i) gives up the hope of any binding between cyberspace entities and
real-world legal or accountable entities, and

(ii) takes away the "Infrastructure" aspect of the SPKI name.

(These problems are not to be solved by SPKI, but by a "subpoena
certificate" as Carl Ellison has named it, which is a service to be paid
for by the user and which will be treated in the future. Which has nothing
to do with the SPKI proposal and which certainly brings up problems of its

Thus, I fail to see where SPKI/SDSI would offer a better situation than
X.509, regarding any security goal for the worldwide Internet. In fact,
SPKI take away any possible semantics that could be offered by a CA's CPS,
in order to resolve naming conflicts or assignments in a global scale. The
"may delegate" flag in SPKI is another open question, where anyone may
fake a cert with an authorization for the key of another person (a framing
attack).  Further, SPKI wrongly considers trust to be fully transitive and
distributive -- for which, X.509 and PGP at least offer a partial way out.
Thus, the SPKI proposal should refrain from making misleading statements
on global names and should also delete the words "Public-Key
Infrastructure" from its name because it only deals with local names --
which, of course, will never allow a PKI to be built. The local names of
"SPKI/SDSI" are forever local and have no significance outside their local
trust domain. 



Dr.rer.nat. E. Gerck                        egerck@laser.cps.softex.br
P.O.Box 1201, CEP13001-970, Campinas-SP, Brazil