[Cryptography] Verisimilitrust

Ray Dillinger bear at sonic.net
Wed Jan 13 18:32:23 EST 2016 

So - what worthwhile applications do we need another public key
infrastructure for? And what requirements does it have beyond or
different from the X.509 PKI?

The model with browser vendors deciding which root keys to put
into browsers (the browser vendors delegate trust to the CAs)
was necessary because nobody else was effectively doing it.  We
wanted to keep Mallory out so we trusted Trent, but it turns out
that we failed to give Trent a reason not to cooperate with Eve.

Certificates aren't a bad thing.  The cryptography was sound.  But
we got the business relationships into a different configuration
than the trust model, and that failed.  We set up CAs who were
in a position to sell the trust of people who never trusted them.
They had no contractual or product liability to the people who
depended on their services.  That was unsustainable, and very
predictably, it's dying.

Moving the trust root to the browser vendors is a step forward.
The people whose trust is being delegated/sold are the ones who
use the browsers, and they are making a choice. They could make
a different choice if they decide that a browser vendor is
untrustworthy.  And possibly the browser vendors could even be
held liable to the users if their product contains deliberate
malware in the form of untrustworthy certs, which was something
the users never had with mere CA's.

So now we have Trent II.  Unlike Trent I, he has at least some
potential motive or business reason to be a trustworthy actor.
Unfortunately I fear that Eve (and/or Mallory) will offer even
greater incentives to become an untrustworthy actor.  And Trent I
isn't dead yet, which will cause confusion at least until the
CA model finishes dying.

Anyway, that's it in the nutshell.  Nobody is in a position
to sell the trust of consumers unless the consumers trust them.
CAs who had not established a trust relationship or at least a
commerce relationship with the users were never worthwhile. It
was the browser vendors all along who could operate in that
capacity, and the recent steps making that more clear are merely
a long-overdue clarification.

But the browser vendors can't secure trust for anything except
web browsers.  And the PKI for web browsers, to a first
approximation,  doesn't work or at least hasn't been made to
work for much beyond E-commerce.  Authenticating the user (as
opposed to the server) is strictly out-of-band.  The user is
unauthenticated in the protocol, because the user has no
certificate.  All the server knows is that the user provided
them with the information they need to access a bank account
or credit card out of band to their interaction with the user,
and that's all the user authentication they get.

This brings us up to the present day.  Browser vendors are
now the only CA's that matter.  Web servers are authenticated
to users but user authentication is either out of band (e-commerce)
or not done (everything else).  Without mutual authentication the
applications beyond E-commerce are limited.  With browser vendors
as CAs the applications beyond web browsing are limited.

So, what's the payoff to overcome these limitations? What worthwhile
applications do we need another public key infrastructure for?  What
is the trust model and how can we avoid the mistakes of setting up a
business model that doesn't follow it?  And what requirements does
it have beyond or different from the X.509 PKI?

In short, where is the new work that we still need to do?

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160113/3b4b69a7/attachment.sig>

More information about the cryptography mailing list