[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: global names are a security flaw
On Fri, 5 Dec 1997, Bill Buffam wrote:
-> Okay, fair enough. Things were getting a bit arcane. Let me take a crack
-> at clarifying this.
-> First off, the local name is qualified in such a way as to make it
-> meaningful to its local users.
Yes, and indeed it does not have to be meaningful to anyone else, to me or
to you either -- so you must conceptually agree that it is perfectly
useless outside its local domain, generally speaking.
-> -> On the other hand, to Carol (someone who knows Bob), Alice's globally
-> unique name is generally less useful, since it may be "Alice Smith"
-> qualified by a whole bunch of names (organizations, locations, etc.)
-> that make her name globally unique. But if Carol, in trying
-> to decide which Alice Smith she's dealing with, has no knowledge of
-> those affiliations, she cannot disambiguate the name. She doesn't know
-> which "Alice Smith" Bob refers to as Alice, and nothing in the globally
-> unique name helps her figure this out.
Now, the obvious problem here is not with global names but with lack of
information! Of course, before you can find anything (even a name), you
must know what you are looking for .... so, if you don't know Bob Jones'
middle name (even though he is your friend) then you can't find him at IBM
or, if you don't know where Alice Smith works then you can't find her. I
could further say that if you don't know Alice Smith's phone number then
you can't call her!
(Clearly, if you start with zero information all you have is entropy...)
-> If there is any ambiguity in "Bob's Alice", Carol can simply ask Bob,
-> because Bob is a known environment with which Carol has chosen to link
-> her namespace (probably with legally binding obligations on both
-> sides). Bob is thus an "interested" agent in this protocol.
[cf a private posting] Given that the US INS accepts UK birth (naming)
certificates, in order to certify immigration status for its own policy of
regulation, this does not mean that the INS is acting to "confirm" the
legitimacy of the name, or organise the UK namespace. This is like saying,
effectively, the INS accepts UK naming, but you cannot use that as an INS
completed action in court to prove you were so named by the UK. Its a
Yes, you trust Bob to have performed such a naming "reference" for Carol,
but you cannot rely on it directly.
Thus, in philosophical terms, Bob refers to a name; however Bob does not
denote it. In legal reliance terms, Carol trusts the name confirmation
procedures of Bob during *cert* reliance, but Carol cannot rely upon the
name for other than its value as a representation of Bob's authentication
management act -- whatever it may be.
-> [snip, already discussed, example does not depend on global names]
-> One could imagine that a global body of information could be established
-> that supports the DN structure, with liability implications for its
-> creators and custodians. Then the two schemes (global names, local
-> names) are essentially equivalent, in terms of risk.
No. One global name can lead to one local name but not conversely, in
general. Hence, the two schemes are not equivalent in any terms.
In other words, going from global to local is essentially a dimensional
reduction -- which is always possible as a many-to-one mapping while
certainly (as can be mathematically proved) introducing discontinuities in
the local name space. So, one global name will map to one local name --
even though neighboring local names will not (in general) correspond to
neighboring global names.
However, going from local to global would be a dimensional inflation --
which is always one-to-many. So one local name would correspond to any
number of global names with some freely presumed data -- invalidating any
use of such mapping in certificates.
-> But things don't happen that way do they? The global name model is the
-> central command and control, top-down model, a la communism.
This is plain wrong.
You are confusing policy with trajectory. X.509 has a hierarchical policy
for naming but has a non-hierarchical trajectory to denote such names as
DNs. Note also that this has nothing to do with the hierarchical aspect of
a X.509 PKI (for CA's public-keys) or the centralizing aspect of TTPs.
-> human organizations don't work like that - they work from the bottom up.
-> That's why linked namespaces of interested participants will more easily
-> be made to work - because the prime movers have a vested interest in
-> making it work.
The Internet is not any longer a parochial network. Competing businesses,
competing countries and competing economic blocks are present in the
Internet. Recently, a world renowned and respected car manufacturer was
found guilty and fined US$ 1.1 billion because of industrial espionage on
another world renowned and respected car manufacturer.
Of course, VW has a vested interest to protect the car manufacturing
business but, nonetheless, GM will not accept VW to define who is not a
certain gentleman in VW's namespace ...
I am also sure that the NSA will not accept Mira Loma High School in
Sacramento, CA, to define who is not Aldrich Ames, even though both have
vested interests to protect the US.
-> The whole thing grows organically, each piece being a
-> viable community, ultimately linking with wider communities.
Rubish in, rubish out.
-> contrast, the global name model depends on a big bang event that's much
-> more difficult (technically; and politically, forget it) to grow
Not at all. You need to distinguish between policy and trajectory.
-> P.S. Thought for the day:
-> A complex system that works is invariably found to have evolved from a
-> system that worked . . . A complex system designed from scratch never
-> and cannot be patched up to make it work. You have to start over,
-> with a working simple system.
-> J Gall, in Systematics: How systems really work, and how they fail. 1986
P.S.: "Things can be made simple, but not simpler."
P.P.S.: "A complex system that works is invariably found to have evolved
from a simple system that *worked*"
Dr.rer.nat. E. Gerck firstname.lastname@example.org