A mighty fortress is our PKI, Part II
Ben Laurie
ben at links.org
Wed Jul 28 10:46:58 EDT 2010
On 28/07/2010 15:18, Peter Gutmann wrote:
> Ben Laurie <ben at links.org> writes:
>
>> However, using private keys to prove that you are (probably) dealing with the
>> same entity as yesterday seems like a useful thing to do. And still needs
>> revocation.
>
> It depends on what you mean by revocation, traditional revocation in the PKI
> sense isn't needed because (well apart from the fact that it doesn't work, you
> can't un-say something after you've already said it) if you look at what a PK
> or a cert is, it's just a capability, and the way to revoke (in the capability
> sense) a capability is to do something like rename the object that the
> capability refers to or use a level of indirection and break the link when you
> want to revoke (in the capability sense) the access. This means that no
> matter how many copies of the capability are floating around out there and
> whether the relying party checks CRLs or not, they're not going to be able to
> get in.
Now you are talking my language! Have I mentioned that my new project at
Google is all about finding good UI for exposing capabilities to users?
>> Is there a good replacement for pk for this purpose?
>
> Which purpose? If you mean securing the distribution channel for binaries,
> here's a very simple one that doesn't need PK at all, it's called a
> self-authenticating URL. To use it you go to your software site, and here's a
> real-world example that uses it, the Python Package Index, and click on a
> download link, something like
> http://pypi.python.org/packages/package.gz#md5=.... (yeah, I know, it uses
> MD5...). This link can point anywhere, because the trusted source of the link
> includes a hash of the binary (and in this case it's a non-HTTPS source, you
> can salt and pepper it as required, for exammple make it an HTTPS link and use
> key continuity to manage the cert). In this form the concept is called link
> fingerprints, it was actually implemented for Firefox as a Google Summer of
> Code project, but then removed again over concerns that if it was present
> people might actually use it (!!). It's still available in DL managers like
> DownThemAll.
The problem here is that it doesn't directly give me an upgrade path. Of
course, I agree that this is sufficient to give me a link to the "right"
binary, but what about its successors?
> Another option is to cryptographically bind the key to the URL, so you again
> have a trusted link source for your download and the link is to
> https://<base64>.downloadsite.com, where <base64> is a fingerprint of the cert
> you get when you connect to the site. This does away with the need for a CA,
> because the link itself authenticates the cert that's used.
Yes, this is of course the YURL scheme.
> Then there are other variations, cryptographically generated addresses, ...
> all sorts of things have been proposed.
>
> The killer, again, is the refusal of any browser vendor to adopt any of it.
> In the case of FF someone actually wrote the code for them, and it was
> rejected. Without support from browser vendors, it doesn't matter what cool
> ideas people come up with, it's never going to get any better.
>
> Peter.
>
>
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list