[Cryptography] Revocation is an Authorization issue

Ángel angel at crypto.16bits.net
Wed Aug 18 21:19:19 EDT 2021 

On 2021-08-10 at 13:40 -0400, Phillip Hallam-Baker wrote:
> My present concern is the client side. Or rather how do we
> authenticate and authorize user devices. Client/Server is about which
> side initiates a conversation and is really not a very useful
> nomenclature. The difficulty of 'client side' PKI is not that we have
> to speak first, it is that authenticating people turns out to be much
> harder than authenticating corporations. That is because corporations
> are by definition created by the process of government accreditation,
> people are not. People do not come with a life long identifier.

Not really. For practical purposes, most people using this would have a
Government-issued identifier¹ which would work for this. Some national
identity document, SSN... A look at https://en.wikipedia.org/wiki/
Identity_document suggest that most countries have some mandatory ID,
or use a document which would equally serve for that. UK seem to be one
of the few exceptions.

Properly accepting all those IDs would be a different issue. You would
probably need something like eIDAS.


¹ Or several ones. Particularly for nationals of one country residing
on a different one.



> In the WebPKI, the authorization of the service is implicit in the
> user's decision to visit it. Even more so in the current diminished
> incarnation where all we are trying to do is provide slightly more
> robust confidentiality than that afforded by an on the fly ephemeral
> exchange.

I don't think so. I would say that the authorization of the user to
identify the website lies simply in that the website is open to be
identified by everyone (otherwise they would use an internal root, or
self-signed certificates...).

And if you actually mean that the user is implicitly authorizing the
service to be identified, I also disagree. We could ponder if that is
conveyed by the user providing some credentials (is a phishing page
impersonating $ENTITY authorized by the user?)



> That isn't the case in a user/client PKI because the purpose of the
> authentication step is to decide whether or not to bind the request
> to a user account. It is the user account which provides
> authorization.

I think the issue here is actually the privacy step, I may not wish to
be [so easily] identified by a random website… or its embedded ads.


> Should Alice's cell phone talk to Bob's directly? That is a more
> complex call but the answer I come up with again is 'absolutely not'.
> If we are to provide minimal privacy guarantees, the presence
> protocol needs to be mediated as a three corner model or anyone can
> track Alice through the presence protocol. And if we want to give
> really good guarantees, it needs to be mediated as a four corner
> model.

Does it?

You are adding a new, unspecified, presence protocol to the mix, but I
don't think it is really necessary they are mediated (although it's
nevertheless desirable they can be).

Let's suppose Alice has the international phone number +1 555-0101 and
Bob +1 555-0102. They could be assigned IPv6 addresses
2001:db8::01:555:0101 and 2001:db8::01:555:0102 

So far, there's no privacy leakage. Knowing the IPv6 address provides
no extra information over the telephone number itself.
The telephone provider will need to link that address to the actual
cell location, but they already do that, so they can be called.

Next step is a bit mor delicate, though. When Bob calls Alice, it must
provide a (hopefully signed/verifiable) request that "This is
2001:db8::01:555:0102 calling 2001:db8::01:555:0101".
Alice phone would then filter it (is Bob blocked? am I in No Disturb
Mode?) and, if allowed, reply back letting the negotiation to follow.

So, the only disclosure would be whether Alice phone is online or not,
and it cannot be done silently, as discovering that requires an actual
call (even if brief), it shall be logged at Alice terminal.

And so, the system doesn't leak any new information either: if you call
someone, you can discover if the phone is turned on.

Finally, we have the network metadata: the actual traffic between
2001:db8::01:555:0101 and 2001:db8::01:555:0102 revealing they called
one another and that there was a conversation last X time.
This would be restricted to their providers, which already have that
kind of visibility now as well, but seems to be the most useful gain.
You would then need to worry about the information gathered by the
mediators themselves, while not being distinctive enough to identify a
user. And with traffic analysis, which is likely to reveal the
endpoints anyway.


Regards

More information about the cryptography mailing list