Anything in this story of concern?

Wed Sep 11 02:57:36 UTC 2013

On Mon, Sep 09, 2013 at 10:14:17PM -0400, Garrett Wollman wrote:
> <<On Mon, 09 Sep 2013 07:34:17 +0000, "Poul-Henning Kamp" <phk at phk.freebsd.dk> said:
> 
> > And as Garrett Wollman correctly pointed out on twitter: It remains
> > yet to be seen if any implementation of SSL/TLS can be non-crap,
> > given that they are stuck with X.509.
> 
> I should say, by the way, that X.509 is not an inherent requirement of
> SSL/TLS, *but* it's what the clients implement.  You can do GSSAPI
> authentication for the TLS key exchange, but there's little benefit in
> doing that versus just doing straight GSSAPI sign/seal and leaving TLS
> out of it completely.  (Plus, there are only two options for GSSAPI;
> one of them doesn't work at Internet scale and the other is back to
> X.509 again.)  You can also do OpenPGP-style Web of Trust
> authentication for the TLS key exchange, but that doesn't work
> at Internet scale either.  GnuTLS supports both, however.

It seems that you're saying something like Monkeysphere or Perspectives
would somehow not work "at Internet scale", but it seems to me that the
real weakness of these things would be a case of *small* scale, in that
if either is not widely-enough used it will not suffice for many sites
that are not popular enough to attract a sufficient percentage of the
clients who actually use Monkeysphere or Perspectives.

Granted, neither Monkeysphere nor Perspectives is *exactly* like PGP web
of trust in how it works (both are more about merely achieving broad
client agreements in practice, and not actual cryptographic trust
relationships), so an actual direct port of PGP web of trust
infrastructure to TLS key authentication might suffer other problems for
scale, but I am not sure exactly what about the web of trust model you
meant to indicate would not scale.

> 
> What would work, would be better than the X.509 CA infrastructure we
> have now, and has been demonstrated experimentally, is using DNSsec to
> publish server public keys -- but that's hardly reducing the size of
> the TCB, and it would significantly worsen the impact of bugs in
> validating DNSsec implementations.  The likely result, if browsers and
> servers began to support this as a legitimate option, would be that
> the existing rents collected by X.509 CAs would instead by paid to
> domain registries and registrars instead.  (On the other hand, it
> seems unlikely that registries could get away with charging the same
> premium for a secure delegation as CAs now do for a wildcard
> certificate -- and the latter is a horrible idea anyway.)

The real problem with CAs, honestly, is the fact that you have to
*trust* the CAs . . . and I do not.  They are simply not trustworthy.
This seems like a problem that would make the transition to domain
registries quite intact, based on what I know of the situation.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]