Comments: World's biggest PKI goes open source: DogTag is released

post from yesterday in crypto mailing list
http://www.garlic.com/~lynn/aadsm28.htm#47 delegating SSL certificates

the claim has been that the business model is bigger issue than the technical issues. PKI process is the digital certificates which are the letters of credit/introduction from the sailing ship days ... where the relying party has no other recourse to information regarding first time interaction with total stranger. it was created for the offline email scenario from the early 80s, where somebody dialups the electronic postoffice, exchange email, and hang up. then the recipient has to deal with first time email from complete stranger.

with any sort of information about the party being dealt with and/or timely direct access to authoritative agency about a complete stranger ... then the digital certificates are redundant, superfluous and obsolete.

a 2nd issue with the business model was that going into the mid-90s, it was realized that the earlier x.509 identity certificates (increasingly overloaded with personal information) represented significant liability and privacy issues. as a result there was a lot of retrenchment to relying-party-only certificates containing nothing but some sort of record locator. However it was trivially shown that if the record has to be accessed ... then the digital certificate was (again) redundant and superfluous (or as in other posts can be trivially compressed to zero bytes).

another issue specifically with the 3rd party PKI business model was traditionally a relying party has some sort of contractual relationship with the authoritative agency (say when they are doing background check with credit agency). In the 3rd party PKI business model, there is a relationship between the certification authority and the entity that the certificate has been issued for ... but no contractual relationship between the certification authority and the relying parties (effectively negating traditional business processes). In order for the gov. PKI project to address this short coming ... GSA signed contracts (as representative of gov. relying parties) with all the authorized gov. certification authorities ... creating contractual obligation between the relying parties (i.e. entities that needed to relying on the validity of the digital certificates) and the (PKI) certification authorities.

misc. past posts mentioning gov. pki project and gsa (as representative of gov. relying parties) requiring contractual relationship with all authorized certification authorities
http://www.garlic.com/~lynn/aadsm12.htm#22 draft-ietf-pkix-warranty-ext-01
http://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
http://www.garlic.com/~lynn/aadsm15.htm#8 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm17.htm#9 Setting X.509 Policy Data in IE, IIS, Outlook
http://www.garlic.com/~lynn/aadsm22.htm#19 "doing the CA statement shuffle" and other dances
http://www.garlic.com/~lynn/aadsm23.htm#14 Shifting the Burden - legal tactics from the contracts world
http://www.garlic.com/~lynn/aadsm26.htm#34 Failure of PKI in messaging
http://www.garlic.com/~lynn/aepay12.htm#1 Confusing business process, payment, authentication and identification
http://www.garlic.com/~lynn/2003l.html#45 Proposal for a new PKI model (At least I hope it's new)
http://www.garlic.com/~lynn/2005f.html#62 single-signon with X.509 certificates
http://www.garlic.com/~lynn/2005m.html#1 Creating certs for others (without their private keys)

Posted by Lynn Wheeler at March 20, 2008 07:41 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x5638d235a9c0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.