[SSL Observatory] Tangent - coercibility of different authority structures
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Sep 26 07:12:47 PDT 2011
On 09/26/2011 02:22 AM, Matt McCutchen wrote:
> I appreciate your intentions of providing distributed control through
> multiple CAs. But as long as the system is structured as a disjunction,
> all it provides is increased attack surface, some of which may lie right
> in the countries in question. Do you propose to change that?
The disjunction you're talking about is one of the root causes of the
problematic incentives of our current situation. I think it's due to
the fact that X.509 is structured in such a way as to require exactly
one issuer per cert.
However, there are already multiple projects in place that use
distributed (multi-authority) models that do not force reliance such a
disjunction.
The Monkeysphere project (i contribute to it) applies the OpenPGP "trust
model" to https (and other) authentication, allowing corroborative
authentication:
http://web.monkeysphere.info/
There's nothing stopping an existing CA from issuing OpenPGP
certifications alongside their X.509 certifications. This would break
the existing lock-in arrangement for users, browsers, and site
operators, which would mean that bad CAs would be easier to remove.
The Convergence and Perspectives projects provide non-disjunction
operation by aggregating results from multiple notaries across the
network. I think there are problems with this approach (real-time
notaries on the public network leave the relying party subject to
physical compromise of the peer; they also can't cope with hosts inside
firewalled networks). Still, they manage to neatly avoid the
problematic centralization of DNSSEC and the problematic disjunction of
the X.509 model.
http://convergence.io/
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110926/7d3f9d41/attachment.sig>
More information about the Observatory
mailing list