[Cryptography] Certificates and PKI - Eccentric version
Guido Witmond
guido at witmond.nl
Sun Dec 28 08:12:20 EST 2014
On 12/25/14 19:58, Paul Wouters wrote:
> certpatrol has proven this scheme is not good enough. The problem of
> gathering information without confirmation from the "true source"
> means you're in a race condition that is guaranteed to give false
> positives. When I change my A/TSLA record, for a litle while the
> world does not know it is legit or not.
Please bear in mind that I describe the Eccentric-Authentication
protocol, not traditional PKI...
I ignore All DNS-records in the protocol except for TLSA, all others are
free to change. The TLSA record points to the true source (in
Eccentric-Authentication) *by definition*.
The TLSA-record points to the Private CA of the domain. The CA signs the
server and client certificates.
Assume a user has a client certificate signed by the private CA of that
domain. (The correct owner). As long as the private key of the private
CA remains secure, the browser can detect TLSA manipulations by third
parties (i.e. Registrars/governments/...)
What remains is a TOFU-situation: How to increase the chance of a user
detecting the correct site for a given domain name at First Contact.
That's where CT/certpartol/perspectives comes in. It records the history
of the values of the TLSA-record for a domain.
The 'price' is that one cannot change their TLSA-records. In
eccentric-authentication, the Private CA is the *Identity* of the site,
not the domain name.
As long as the domain owner (registrant) keeps its private CA private
key secret, it is protected against hostile registrars. The private key
lives at the right place: at the end, not in the middle.
To make it easy to keep that key secret, the domain owner creates a
SubCA, uses that to sign client certificates and keeps the Root key on a
HSM (usb-stick, smart card, etc) in a safe. Once in a while the domain
owner creates a new SubCA private key and destroys the old one. This
step can be done offline using a dedecated computer, only to be used for
this purpose.
To summarize: The tradition PKI designates the *domain name* to be the
*identifier*. With Eccentric-Authentication, I designate the Private CA
Public Key to be the identity, independent of domain name.
Traditional PKI offers the option to change public keys at any time, the
price is that end users have to trust that the infrastructure is honest.
And end users have no way of detecting that.
In Eccentric-Authentication, the protocol offers true end-to-end
validation of public keys between sites and users. End users' browsers
detect it when the infrastructure is dishonest. To manipulate
undetected, one has to obtain the private CA Root key. A much harder
target. And a higher price to pay if the CA Root key gets destroyed or
leaked.
Regards, Guido Witmond.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141228/31771ad6/attachment.sig>
More information about the cryptography
mailing list