[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft Charter

To: Jon Callas <jon@xxxxxxxxxx>
Subject: Re: Draft Charter
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 13 Aug 2007 20:26:22 -0400
Cc: ietf-trust-anchor@xxxxxxxx
In-reply-to: <541D144E-80AD-4B07-85EB-4EF2786E811D@xxxxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-trust-anchor/mail-archive/>
List-id: <ietf-trust-anchor.vpnc.org>
List-unsubscribe: <mailto:ietf-trust-anchor-request@vpnc.org?body=unsubscribe>
References: <> <> <82D5657AE1F54347A734BDD33637C87908C4E04C@xxxxxxxxxxxxxxxxxxxxxxxx> <46BCBE41.6000707@xxxxxxxxx> <82D5657AE1F54347A734BDD33637C87908C9C352@xxxxxxxxxxxxxxxxxxxxxxxx> <46BCC098.4030808@xxxxxxxxx> <541D144E-80AD-4B07-85EB-4EF2786E811D@xxxxxxxxxx>
Sender: owner-ietf-trust-anchor@xxxxxxxxxxxxx


At 2:47 PM -0700 8/13/07, Jon Callas wrote:

...
An historical note first. The term "key" for "certificate" in theway that it is colloquially used in OpenPGP was coined by WhitDiffie. People like it. It's short, friendly, and has a niceprovenance.

I believe the term "certificate" was coined in an MIT bachelor'sthesis by Kornfelder in 1978. (Ron Rivest was the thesis advisor.).The original D-H paper in 1976 had no concept of a cert; instead ittalked about making public keys available in a phone book like manner.

However, it isn't accurate. A certificate contains a key, but acertificate is not a key.


right.

Worse, an OpenPGP certificate typically contains at least two publickeys, along with a number of certifications. (It is possible to havea one-key OpenPGP certificate, but that can only be used forsigning. If you want to encrypt something, you need a signing keyand an encryption key in your certificate. Right now, we're movingto a use model that has at least three keys -- where the top levelsigning key is merely a certification key, and there's an encryptionand signing subkey. This is particularly popular in Europe.)

this recursive definition of a cert may be a good example of why itmay be hard to develop a protocol that uses a consistent set ofterminology and embraces both OPGP and X.509/PKIX.

What this means is that if you say "OpenPGP Key" and want to talkabout its components, you're using the word "key" far too manytimes. I have tried to apply rigor to the terminology, but peoplelike using the word "key" for "certificate" and refused to playalong. So I merely get precise when I need to.


on this list you probably should assume the need to be precise :-).

...
Now where the OpenPGP and X.509 (particularly PKIX) models divergeis an attitude about issuers and roots. In OpenPGP, every user is apotential CA. Every certificate is a potential root. This makes forsome semantic differences, as well as attitude differences.
Every so often, a PKIX/X.509 discussion comes up about using thesame public key in more than one certificate. One thing that alwayscomes out of that discussion is noting that if you did it, you'dneed a way to revoke a public key as well as a certificate, and nosuch thing exists. Well, OpenPGP effectively does this by havingboth a signature revocation and a "key" revocation mechanism. Notethat in *this* case, the OpenPGP colloquialism of "key" actuallymeans a key!

There are a lot of reasons why it is preferable to not reuse a publickey in multiple certs. The semantics of X.509 deal with certrevocation because a CA's job is to vouch for the binding of theattributes in a cert and the public key in that cert. Revocaton ofthe cert breaks the binding, which is both necessary and sufficientfor the semantic model. There is not need to add an ability torevoke keys, because a CA does not attest to the security of the keyin any larger sense.

(If Alice and Bob each certify my "key," that corresponds to myhaving three X.509 certificates, each with the same public key. My"key" is three certs, one issued by Alice, one issued by Bob, andone that is self-signed. If I revoke my self-signed certificate,that implies revoking the other two. Yes, I know all the thingsyou're thinking now.)

I'd try to avoid that last phrase as it may strike some as bothpresumptuous and, at least in my case, usually wrong :-).

So let me get to keyrings, and then back to TAM. There's no suchthing as a keyring. More precisely, it is not well-defined. Thatfile you have for PGP or GnuPG is a sequential file of OpenPGPcertificates, nothing more. However, a "keyring" could also be anSQL database containing same. So if you permit me to contradictmyself, a "keyring" is nothing more than a certificate database witha warm, fuzzy, Diffie-coined word for it, and is often implementedas a flat file.

a clear definition for a key ring would not require any mention ofthe type of database by which the set of certs is maintained, so,hopefully, there is a better reason that the term is not defined inany documents, right?

OpenPGP makes a show of explicitly not defining how to expresstrust. This is because when the OpenPGP working group was formed, wewere told we couldn't be a PKI, and that meant we couldn'tstandardize trust. So while there is a "trust packet" in OpenPGP,it's officially implementation-dependent. As it turns out by somehappy coincidence, we all base our trust structures on what wentbefore, and we can (usually) directly import these from oneimplementation to another.

This is a very odd characterization. Despite the blatant overuse ofthe term, especially in marketing literature and poorly writtenpapers, both the syntax and semantics of X.509 can be described w/oreference to the word "trust." (Even the term "trust anchor" need notbe defined using the word trust, as the candidate definitions bandiedabout on this list have shown.)

And this is why TAM would be useful to OpenPGP, and why you'll findslightly tepid comments from some people. Historically, we've solvedthese problems among ourselves, and typically it all works justfine. In other words, TAM gives X.509 ways to do things that OpenPGPhas done for a long time.

Is this another set of things that OPGP does but which is notdocumented in any IETF publication?

However, I know there are rough edges, and TAM would be a fine wayto iron them out. For my company, PGP Corporation, we work in PKIsthat are imaged into X.509 syntax and OpenPGP syntax. We need tomaintain parallel structures, and TAM is a fine way to do it.
If TAM becomes PKIX-only, then I'm going to have to make a TAMextension to handle certs in different formats. I can think now of away to do it:
I go look at whatever TAM decides, and go directly to where theASN.1 says "certificate goes here." And then I just put thereinstead of the certificate a type-constant (an OID?) and then thecertificate. Then poof, Alice is your auntie, and we're all done.
Is it *that* hard to make this part of TAM, and have type constantsfor PKIX, X.509, SPKI, DNSsec, SAML, XML-whatever, DKIM, etc.?



Syntax is not the hard part here.

For example, when one defines the language needed to characterize theconstraints ompised on TAAs, and the constraints expressible via a TAdata structure, one probably has to be cognizant of the semantics ofthe certs being managed, else there will be no way to ensure that thelanguage has enough richness to meet the requirements of the targetuser community (whoever we decide that to be). For example, in theX.509 context, it seems likely that we need the ability to expressname constraints, maybe policy constraints, certainly RFC 3779constraints, etc.

Also, what is SAML doing in your list? It is not a PKI mechanism,not a public key format, ...


Steve

References:
- Draft Charter
  - From: Turner, Sean P.
- Re: Draft Charter
  - From: Stephen Kent
- RE: Draft Charter
  - From: Santosh Chokhani
- Re: Draft Charter
  - From: Stephen Farrell
- RE: Draft Charter
  - From: Santosh Chokhani
- Re: Draft Charter
  - From: Stephen Farrell
- Re: Draft Charter
  - From: Jon Callas

Prev by Date: RE: Draft Charter
Next by Date: Re: Draft Charter
Previous by thread: Re: Draft Charter
Next by thread: Re: Draft Charter
Index(es):
- Date
- Thread