Re: PKI: Only Mostly Dead

2002-06-10 Thread lynn . wheeler 

I think there is even less I than most people suspect. I've recently
taken to some manual sampling of  SSL domain name server certificates ...
and finding certificates that have expired ... but being accepted by
several browsers that i've tested with (no complaints or fault
indications).

there was thread in another forum where I observed that back when
originally working on this payment/ecommerce thing for this small
client/server startup that had invented these things called SSL  HTTPS ...
my wife and I had to go around to various certificate manufactures with
regard to some due diligence activity. I think w/o exception that they all
made some comment about the PK being technical ... and the I being
service ... and providing service is an extremely hard thing to do (and
they hadn't anticipated how really hard it is).

some past ssl domain name certificate threads:
http://www.garlic.com/~lynn/subtopic.html#sslcerts

As i've observed previously there are a number of ways that the technical
stuff for PK can be done w/o it having to equate to (capital) PKI ...
some recent threads on this subject:
http://www.garlic.com/~lynn/aepay10.htm#31 some certification 
authentication landscape summary from recent threads
http://www.garlic.com/~lynn/aepay10.htm#32 some certification 
authentication landscape summary from recent threads
http://www.garlic.com/~lynn/aepay10.htm#34 some certification 
authentication landscape summary from recent threads
http://www.garlic.com/~lynn/aepay10.htm#35 some certification 
authentication landscape summary from recent threads
http://www.garlic.com/~lynn/aadsm11.htm#18 IBM alternative to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#19 IBM alternative to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#20 IBM alternative to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#21 IBM alternative to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#22 IBM alternative to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#23 Proxy PKI. Was: IBM alternative
to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#24 Proxy PKI. Was: IBM alternative
to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#25 Proxy PKI. Was: IBM alternative
to PKI?
http://www.garlic.com/~lynn/aadsm11.htm#26 Proxy PKI
http://www.garlic.com/~lynn/aadsm11.htm#27 Proxy PKI
http://www.garlic.com/~lynn/aadsm11.htm#30 Proposal: A replacement for 3D
Secure
http://www.garlic.com/~lynn/aadsm11.htm#32 ALARMED ... Only Mostly Dead ...
RIP PKI
http://www.garlic.com/~lynn/aadsm11.htm#33 ALARMED ... Only Mostly Dead ...
RIP PKI
http://www.garlic.com/~lynn/aadsm11.htm#34 ALARMED ... Only Mostly Dead ...
RIP PKI
http://www.garlic.com/~lynn/aadsm11.htm#35 ALARMED ... Only Mostly Dead ...
RIP PKI .. addenda
http://www.garlic.com/~lynn/aadsm11.htm#36 ALARMED ... Only Mostly Dead ...
RIP PKI .. addenda II
http://www.garlic.com/~lynn/aadsm11.htm#37 ALARMED ... Only Mostly Dead ...
RIP PKI
http://www.garlic.com/~lynn/aadsm11.htm#38 ALARMED ... Only Mostly Dead ...
RIP PKI ... part II
http://www.garlic.com/~lynn/aadsm11.htm#39 ALARMED ... Only Mostly Dead ...
RIP PKI .. addenda
http://www.garlic.com/~lynn/aadsm11.htm#40 ALARMED ... Only Mostly Dead ...
RIP PKI ... part II
http://www.garlic.com/~lynn/aadsm11.htm#42 ALARMED ... Only Mostly Dead ...
RIP PKI ... part III



[EMAIL PROTECTED] at 6/1/2002 2:18am wrote:


Peter Gutmann should be declared an international resource.

Thankyou Nobody.  You should have found the e-gold in your acount by now :
-).

Only one little thing mars this picture.  PKI IS A TREMENDOUS SUCCESS
WHICH IS
USED EVERY DAY BY MILLIONS OF PEOPLE.  Of course this is in reference to
the
use of public key certificates to secure ecommerce web sites.  Every one
of
those https connections is secured by an X.509 certificate infrastructure.
That's PKI.

  Opinion is divided on the subject -- Captain Rum, Blackadder, Potato.

The use with SSL is what Anne|Lynn Wheeler refer to as certificate
manufacturing (marvellous term).  You send the CA (and lets face it,
that's
going to be Verisign) your name and credit card number, and get back a
cert.
It's just an expensive way of doing authenticated DNS lookups with a ttl of
one
year.  Plenty of PK, precious little I.

The truth is that we are surrounded by globally unique identifiers and we
use
them every day.  URLs, email addresses, DNS host names, Freenet selection
keys, ICQ numbers, MojoIDs, all of these are globally unique!
[EMAIL PROTECTED] is a globally unique name; you can use that
address from anywhere in the world and it will get to the same mailbox.

You can play with semantics here and claim the exact opposite.  All of the
cases you've cited are actually examples of global distinguisher + locally
unique name.  For example the value 1234567890 taken in isolation could be
anything from my ICQ number to my shoe size in kilo-angstroms, but if you
view
it as the pair { ICQ domain, locally unique number } then it makes
sense
(disclaimer: I have no idea whether that's either a valid ICQ number or my
shoe
size in

Re: PKI: Only Mostly Dead

2002-06-09 Thread Derek Atkins 

[EMAIL PROTECTED] (Peter Gutmann) writes:

 For example the value
 1234567890 taken in isolation could be anything from my ICQ number
 to my shoe size in kilo-angstroms, but if you view it as the pair {
 ICQ domain, locally unique number } then it makes sense
 (disclaimer: I have no idea whether that's either a valid ICQ number
 or my shoe size in kilo-angstroms).

It's clearly not your shoe size in kilo-angstroms, unless you have
MIGHTY large feet.  According to 'units', that works out to 4860
inches.

-derek
-- 
   Derek Atkins
   Computer and Internet Security Consultant
   [EMAIL PROTECTED] www.ihtfp.com

Re: PKI: Only Mostly Dead

2002-06-09 Thread Derek Atkins 

[EMAIL PROTECTED] (Peter Gutmann) writes:

 It's clearly not your shoe size in kilo-angstroms, unless you have MIGHTY
 large feet.  According to 'units', that works out to 4860 inches.
 
 Obviously it's my hat size then.

I always knew you had a fat head ;)

 Peter.

-derek

-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   [EMAIL PROTECTED]PGP key available

Re: PKI: Only Mostly Dead

2002-06-09 Thread Peter Gutmann 

Derek Atkins [EMAIL PROTECTED]
[EMAIL PROTECTED] (Peter Gutmann) writes:
 For example the value
1234567890 taken in isolation could be anything from my ICQ number
to my shoe size in kilo-angstroms, but if you view it as the pair {
ICQ domain, locally unique number } then it makes sense
(disclaimer: I have no idea whether that's either a valid ICQ number
or my shoe size in kilo-angstroms).

It's clearly not your shoe size in kilo-angstroms, unless you have MIGHTY
large feet.  According to 'units', that works out to 4860 inches.

Obviously it's my hat size then.

Peter.

Re: PKI: Only Mostly Dead

2002-06-01 Thread Peter Gutmann 

Peter Gutmann should be declared an international resource.

Thankyou Nobody.  You should have found the e-gold in your acount by now :-).

Only one little thing mars this picture.  PKI IS A TREMENDOUS SUCCESS WHICH IS
USED EVERY DAY BY MILLIONS OF PEOPLE.  Of course this is in reference to the
use of public key certificates to secure ecommerce web sites.  Every one of
those https connections is secured by an X.509 certificate infrastructure.
That's PKI.

  Opinion is divided on the subject -- Captain Rum, Blackadder, Potato.

The use with SSL is what Anne|Lynn Wheeler refer to as certificate
manufacturing (marvellous term).  You send the CA (and lets face it, that's
going to be Verisign) your name and credit card number, and get back a cert.
It's just an expensive way of doing authenticated DNS lookups with a ttl of one
year.  Plenty of PK, precious little I.

The truth is that we are surrounded by globally unique identifiers and we use
them every day.  URLs, email addresses, DNS host names, Freenet selection
keys, ICQ numbers, MojoIDs, all of these are globally unique!
[EMAIL PROTECTED] is a globally unique name; you can use that
address from anywhere in the world and it will get to the same mailbox.

You can play with semantics here and claim the exact opposite.  All of the
cases you've cited are actually examples of global distinguisher + locally
unique name.  For example the value 1234567890 taken in isolation could be
anything from my ICQ number to my shoe size in kilo-angstroms, but if you view
it as the pair { ICQ domain, locally unique number } then it makes sense
(disclaimer: I have no idea whether that's either a valid ICQ number or my shoe
size in kilo-angstroms).

(This is very much a philosophical issue.  Someone on ietf-pkix a year or two
 back tried to claim that X.500 DNs must be a Good Thing because RFC 822 email
 address and DNS names and whatnot are hierarchical like DNs and therefore
 can't be bad.  I would suspect that most people view them as just dumb text
 strings rather than a hierarchically structured set of attributes like a DN.
 The debate sort of fizzled out when no-one could agree on a particular view).

I think the unified view is that what you need for a cert is a global
distinguisher and a locally meaningful name, rather than some complex
hierarchical thing which tries to be universally meaningful.  Frequently the
distinguisher is implied (eg with DNS names, email addresses, for use within
XYZ Copy only, etc), and the definition of local really means local to the
domain specified in the global distinguisher.  I'm not sure whether I can
easily fit all that into the paper without getting too philosophical - it was
really meant as a guide for users of PKI technology.

Peter.