[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: global names are a security flaw


I have a very hard time following your arguments.  You seem to have a
point, but I fail to find it.

Ed Gerck wrote:
> On Fri, 5 Dec 1997, Bill Buffam wrote:
> -> First off, the local name is qualified in such a way as to make it
> -> meaningful to its local users.
> Yes, and indeed it does not have to be meaningful to anyone else, to 
> me or to you either -- so you must conceptually agree that it is 
> perfectly useless outside its local domain, generally speaking.

Exactly.  And there is nothing but local domains.  All name domains that
exist are local to the context where they are used.  If you need to
interact with somebody, you need to map that "somebody" to your local name
space.  There is no "common global name" you can apply.  Even if there
were, you could not recognize it, as it does not exist in your local name

[previous post about not being able to identify "Alice Smith"]
> Now, the obvious problem here is not with global names but with lack 
> of information!

Exactly my point, but I don't think you meant it that way.  There is no
information about a global name, there is only a set of local references to
a pricipal.

> Of course, before you can find anything (even a name),  you must know 
> what you are looking for .... so, if you don't know Bob Jones' middle 
> name (even though he is your friend) then you can't find him at IBM 
> or, 

Yes, you may be able to find him.  You have a local perception of his
identity.  By searching some local name spaces, you may find enough
information to locate a "candidate" Bob.  Once you have a candidate, you
must use your own projection of Bob's identity to verify that the candidate
is indeed Bob.  If your projection is very low on information, there is a
risk of confusion or fraud.  This must be familiar to you - I'm sure you at
one point or another have spoken with the wrong person on the phone for a
while before recognizing your mistake.

> if you don't know where Alice Smith works then you can't find her. I 
> could further say that if you don't know Alice Smith's phone number 
> then you can't call her!

But you may know Alice's sister's best friend, who knows the number.

> (Clearly, if you start with zero information all you have is 
> entropy...)

In a local name space, you cannot use a global name, even if you knew one.
The name does not fit within your name space, so you need to map it to a
local name. 

> -> If there is any ambiguity in "Bob's Alice", Carol can simply ask 
> -> Bob, because Bob is a known environment with which Carol has chosen 
> -> to link her namespace (probably with legally binding obligations on 
> -> both sides). Bob is thus an "interested" agent in this protocol.
> Yes, you trust Bob to have performed such a naming "reference" for 
> Carol, but you cannot rely on it directly.

Why, then, could I rely on a similar naming by a CA who attaches no
interest to the binding?

> No. One global name can lead to one local name but not conversely, in
> general. Hence, the two schemes are not equivalent in any terms.
> In other words, going from global to local is essentially a 
> dimensional reduction -- which is always possible as a many-to-one 
> mapping while certainly (as can be mathematically proved) introducing 
> discontinuities in the local name space. So, one global name will map 
> to one local name -- even though neighboring local names will not (in 
> general) correspond to neighboring global names.

The problem here is that you claim that I, operating in my local name
space, can map a global name from a separate name space into my name
space.  As any "global" name space is meaningless in my local name space, I
must treat it as a local name from a different name space. You seem to
claim I can map one-to-one between two local name spaces.   But above you
note that this is mathematically impossible. 

As long as you can't force all local name spaces to be subsets of the
"global name space" you are referring to, the mapping you describe is
mathematically impossible. I believe that X.500 died because the local name
spaces could not be made subsets of the global name space. As you state

> However, going from local to global would be a dimensional inflation 
> -- which is always one-to-many. So one local name would correspond to 
> any number of global names with some freely presumed data -- 
> invalidating any use of such mapping in certificates.

Which in my mind rules out the X.509 DN name space.  You can try to
convince me otherwise, but you are not doing a good job of it sofar.

But I'm probably rambling on without a purpose here...

Camillo Sdrs <Camillo.Sars@DataFellows.com>   Data Fellows Ltd.
http://www.Europe.DataFellows.com/      Aim for the impossible and you
http://www.iki.fi/ged                   will achieve the improbable

Follow-Ups: References: