[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-spki-cert-theory-00.txt

> I think that the document has serious flaws and should be ammended, as
> well as the name SPKI no longer reflects the result of the merge with
> SDSI. Specifically, my comments are given below for each point.
> ->    The SPKI Working Group has developed a standard form of digital
> ->    certificate that is both more general and simpler than what is
> ->    traditionally considered to be a certificate.  Since the word
> ->    ''certificate'' was first used by Loren Kohnfelder in 1978 to refer to
> ->    a signed record holding a name and a public key, it has been assumed
> ->    that the only purpose of a certificate has been to bind a public key
> ->    to a globally unique name and therefore to a person.  This binding
> ->    was assumed both necessary and sufficient for security.
> This last phrase is wrong, because X.509 (the standard alluded to, and
> mostly used) does not say so or assumes it. Here, there are actually three
> entities and respective bindings: key, name, person.  The definitions of
> key, name and their binding are handled by X.509, whereas the binding of
> either with a person (and a person's qualifications) are handled by the
> CA's CPS -- which is outside the scope of X.509. The same happens for PGP.

Yes the X.509 standard does not assume such a binding. The assumption is
in its 
philosophy of use, and derived from the X.500 directory, which really
had the
pretension to assign a unique name to each 3D entity involved with the
networks. CA's are doing now a days what was intended to be done by the
with the problem that the directory was assumed to have a unique(s) full
trusted root (the
government), and all CA's put themselves as roots. 

> Thus, current certificates do not assume that such bindings (plural, here)
> are necessary and sufficient for security -- on the contrary, certificates
> such as X.509 and PGP just provide for a security framework to be reached
> as a function of the various CPSs and how they are to be interpreted by
> each verifier.

This is true for PGP, which was thought form the beginning with this
in mind, not for X.509 ( but it can be used too ... denaturalized) 

I don't have the knowledge to formally prove/disprove that such bindings
necessary and sufficient for security. Somebody can ?

> Further, X.509 (and PGP) clearly lay out several purposes besides name
> binding for certificates, as given by the extensions in X.509v3, including
> authorizations such as the possibility to be used as a root-cert for
> signing other certs, etc.

The problem of the X.509 is its support with extensions, that means not 
mandatory to be understand -- Yes the standard says that a non
extension results in certificate reject, what I mean is people is not
to create them with this extensions ( I normally do not do merely
because their 

> ->
> ->    The working group has found that the creation of a globally unique
> ->    name is neither necessary nor sufficient for Internet security or
> ->    electronic commerce.  In fact, use of global names can introduce a
> ->    security flaw.

> This is plain wrong. If globally unique names can be defined then it is a
> sufficient condition (together with other suitable conditions for the
> public-key, etc.) to uniquely define the agents of actions, globally. This
> has nothing to do with the fact that a globally unique name cannot be
> defined with current technology, in the general case. In fact,
> counter-paraphrasing the last phrase above, use of global names (that
> deserve the name) could never introduce security flaws!

Not security flaw, privacy flaw. And security is indented to protect

> -> Therefore, we define certificate forms for binding
> ->    local names to keys (to retain security while offering the
> ->    convenience of meaningful names) and for assigning authorizations to
> ->    keys (to provide adequate information for real applications).  These
> ->    forms can be used alone or together.
> ->
> Of course, local names can only be locally meaningful and must be always
> isolated from any global context (where they may even collide) -- which
> makes them useless in a world PKI.
> To further discuss the issues, I assume that for the SPKI proposal there
> is no identity other than the key, so there is no entity authentication,
> just key authentication and all actions are performed in cyberspace. For
> SDSI, I assume that there is no identity of meaning to anyone other than
> to the CA, so all entities's names are only locally valid and all actions
> are again performed in cyberspace.
> So, as SPKI was merged with SDSI, SPKI had indeed to consider all names to
> be local -- which essentially:
> (i) gives up the hope of any binding between cyberspace entities and
> real-world legal or accountable entities, and
> (ii) takes away the "Infrastructure" aspect of the SPKI name.
> (These problems are not to be solved by SPKI, but by a "subpoena
> certificate" as Carl Ellison has named it, which is a service to be paid
> for by the user and which will be treated in the future. Which has nothing
> to do with the SPKI proposal and which certainly brings up problems of its
> own.)
> Thus, I fail to see where SPKI/SDSI would offer a better situation than
> X.509, regarding any security goal for the worldwide Internet. In fact,
> SPKI take away any possible semantics that could be offered by a CA's CPS,
> in order to resolve naming conflicts or assignments in a global scale. The
> "may delegate" flag in SPKI is another open question, where anyone may
> fake a cert with an authorization for the key of another person (a framing
> attack).  Further, SPKI wrongly considers trust to be fully transitive and
> distributive -- for which, X.509 and PGP at least offer a partial way out.

But the delegated trust is not full, is just a subset of it.

> Thus, the SPKI proposal should refrain from making misleading statements
> on global names and should also delete the words "Public-Key
> Infrastructure" from its name because it only deals with local names --
> which, of course, will never allow a PKI to be built. The local names of
> "SPKI/SDSI" are forever local and have no significance outside their local
> trust domain.

Ok ,here the problem is in the assumption of globally. Global domains,
names ...
they do not exist. All the domains are always sub domains of bigger
ones. Thinking 
on having a truly global domain is like when the people from states
proclaim that 
the final of the NBA is the world final Basketball (sorry! ... maybe
somebody have a better ex.) 
With SPKI is easy to create a trust tree form the bottom, (the easy
parts), nothing says that one day 
we all agree and we will have a local world-sized domain. This is very
close to the successful Internet history.

Finally I don't see why you put PGP and X.509 in the same level, they
have totally different philosophy.

Xavier Serret Avila.

                     Xavier Serret Avila

              Universite Catholique de Louvain
	      Laboratoire de Telecommunications
	      Batiment Stevin
	      2, Place du Levant
	      B-1348 - Louvain La Neuve
mailto:serret@tele.ucl.ac.be          Tel.: +32 - (0)10 - 478072
                                      Fax : +32 - (0)10 - 472089

Follow-Ups: References: