Policy-Discussion

[Ian G <iang AT systemics.com>]

mfolimun AT elitemail.org
 wrote:
> On Fri, 11 May 2007 14:00:04 +0200, "Ian G" 
> <iang AT systemics.com>
>  said:
>
> > But I don't think it is to provide *domain-control* certs 
> > for free.  That's just something that is done right now as 
> > part of the above mission.  CAcert might decide one day to 
> > drop them completely.
> >
> > Also, CAcert's mission is likely to limit its bounty in the 
> > future to just registered users ... (with the assumption 
> > that they become Assured.)
>
> This is unfortunate. I had hoped your goal was to provide
> a widely accepted certificate authority that enabled the 
> average joe to secure his domain content. This is something
> badly needed.. :(
>
> General web of trust and document certification is something
> already done by the much more extensive (and more easily 
> accessible and usable) GPG web of trust.


Sure.  But the reliance equations are different, very 
different, in those environments.


> > (2) But, most the people who *implement* PKI and 
> > certificates believe something else.  They believe that 
> > crypto should only be used from person to person in an 
> > environment of reliance.  I agree with that, to the extent 
> > that it exists, as a world.
>
> This world does not exist for ssl-style certs. It never 
> will. SSL certs are by their nature a many-to-many relation
> where an authority (you) certifies other entities as being 
> who they  say they are to a multitude of users. For SSL, 
> the entity certified is a domain name, tied to to the 
> DNS system.


It's curious that I say it exists, and you don't...  :)

Actually, if you say SSL certs are entities to a multitude 
of users, then that's the same thing.

Your view however seems to be that domains are in some sense 
"disconnected from a person."  It is the case that certain 
CAs tend to connect domains to (a) control of requestor and 
(b) has a credit card.  CAcert doesn't do that, though.  Is 
that what you are asking CAcert to do?


> > CAcert has to live in both worlds.  So far it is doing this 
> > double life fairly well.  From both sides it looks sort of 
> > kinda like what is expected.
> >
> > But it's not perfect, I grant.  Your complaint here is 
> > fairly minor compared to the complaints that CAcert receives 
> > from the PKI world.
>
> Hrmm, I'm not aware of these complaints. I approached this issue
> from the point of view that the best way to achieve the goal of
> a CA cert that is accepted by most browsers, email clients,
> and other SSL users is to get it used by a large number 
> of people.


That view exists too.  It is not however a view that is held 
by any browser that we know of.  Some want an audit, some 
want money, some want somebody else to say OK, and some 
won't say what they want ;)


> My view was if you make adoption easy for people, at some point 
> a tipping point will be reached where the browsers and email 
> clients say "Hey, these guys are doing a good job of certifying 
> domain owners actually own their domains. And lots of people 
> use them. Let's include them." This is ultimately what SSL 
> for web and email is about. Certifying domains.


Be careful with mixing up ownership and control.  You are 
proposing domain-control, and not domain ownership.  Domain 
ownership can only be established with reference to a 
person, and you are stating that this should not be done.

That is, legal title to a domain can only be held in the 
name of a person (including a company).

And, it is possibly worth remembering that "control" in a 
legal sense includes authorisation to control.  This can 
only be established with reference to an owner.  So for 
example, when assuring a corporation or other legal person, 
one of the things that CAcert has to check is that the 
(human) person they are talking to has authorisation of the 
corporation to make the claims.  E.g., not some tape 
changer, but is the director of IT, referring up to the 
board, etc.  This is very tricky, and also has many 
complications due to different country attitudes.


> I believe the only way for this to happen is to make adoption
> easy, and secure for its purpose. IMO, authenticating domains
> is the security you need, not authenticating people. After all
> people do not map cleanly to domains.


Sure.  Unfortunately, the worldviews of domains <--> person 
dominate any individual opinions ... and most specifically 
dominate the PKI world, including the browser manufacturers. 
 IMO.

So while your ideas are great, they just aren't very .. 
current.  The identity folk got there first, and are the 
gatekeepers.


> > > If I demonstrably control all properties of domain X, there is no harm 
> > > in you certifying I am domain X, unless I have hacked domain X, stole 
> > > its mail, stole the passwords to the registrar, and hijacked its 
> > > webserver, and convinced their ISP to update reverse DNS. All without 
> > > the domain admin knowing.. If I am this much of an uber-ninja, why don't 
> > > I just do this to domains Y and Z that have already been granted
> > > CAcerts, and steal their private keys?
> >  
> > So, you answered your own question by explaining the 
> > uncertainty.
>
> Ok, I suppose this is understandable. As an alternative, 
> how about this: if an unassured user uses a the 6 month 
> cert without event/complaint, and then repeats the same 
> 3 step process:
>
>  1. Email to postmaster
>  2. Point subdomain to requested CAcert random IP
>  3. Post randomly generated CAcert.org webpage/image on domain
>
> 6 months later, they then have a demonstrated a yet higher degree 
> of certainty of ownership of the domain, because they have been 
> using it for 6 months without incident and still have control. 


Again, you have to concentrate on both sides of the 
equation.  CAcert goes out to its registered users and says 
that they can rely on this certificate.  In order to provide 
this reliance, it has to have a balance of security.

Control is one aspect, and ownership is another.  A third 
one that you may not have noticed is that you, as registered 
user, are also subject to legal action.  That means that if 
you do something wrong, then any registered user can drag 
you before an Arbitrator and have a reckoning.

You literally give up something in front of CAcert and the 
community.  You agree that you are not untouchable, and you 
promise reliability of some form.  For that loss, you get 
the benefit of a certificate that other registered users can 
rely upon.  That's the bargain, at least it's one such 
bargain that CAcert is choosing.

(A lot of what I am saying above is "DRAFT" so there is some 
room to wiggle out here in a proper forum of law.)

OTOH, and here is the punchline, in your scenario, what is 
it that you are offering the community?  Why would CAcert 
care to give you a certificate?  What's the bargain here?


> It is much much less likely that an uberninja would manage to escape
> 6 months of usage of a domain without anyone noticing... Surely
> this entitles them to a longer cert the second time around?


Entitlement is funny word in this context, see above :)  But 
note that as we haven't established legal ownership, we 
haven't established legal control.  So there is that 
remaining question mark:  what does *technical control* buy us?


> > > But this is NOT what you do! This is what the GPG web of trust does! 
> > > What YOU do is certify that content that claims to be from domain X 
> > > *really is* from domain X. Particular individuals have nothing 
> > > to do with the content you certify.
> >  
> > Sorry, where did you read that?  The CPS doesn't say that, 
> > did this come from anywhere in particular?
>
> http://wiki.cacert.org/wiki/SubmitCsr - 
>
> "Basically unless you assure your company nothing else 
> except for commonNames and subjectAltNames will appear 
> on your certificate, the other fields are removed"
>
> It would seem you do not provide any form of individual
> identity on your certs, just commonName/domain.



Oh, I see what you are saying!  That might be a bug, then, 
in either the certificates or the CPS.  Let's check it out 
then.  Thanks!


> > As a long time promoter of psuedonymous security, I know 
> > what you are saying.  But, consider this:  you can do 
> > psuedonymous security by yourself.
> >
> > OTOH, if you do it with CAcert, then you have to offer 
> > CAcert something, else it has no interest in taking on the 
> > liability and risk of working with you.  What would you offer?
> >
> > Or, are you simply asking CAcert to issue you with a 
> > self-signed cert?  As in, do the heavy lifting of creating 
> > and running the self-signing CA for you?
> >
> > That's maybe a valuable product ... who would like that?
>
> Not really. Not if it meant a new CA for each site for the
> end-user to install.


(My suggestion was that CAcert roll an entire new CA for 
every user, and manage the infrastructure there for the 
users.  But, yes they would have to install their root cert 
each time.)


> I am trying to encourage you to create an environment where 
> regular people on the Internet have an incentive to 
> add your certificates to their browser, and thus drive
> adoption by browser makers from the ground up. IMO, the best
> way to create this scenario is to make it easy (yet still
> as secure as possible within the DNS domain model of 
> identity) for people to create domain certificates.


Oh, I see.  Well, yes, maybe.  From what I have seen, the 
attitude of the major browsers is something like "hell 
freezes over..." regrettably.  The problem being that the 2 
major browsers have both committed to greater or lesser 
defined paths for adoption, and they are unlikely to ditch 
it for "popular" alternatives.  They have both made 
committments on their paths, *including to the other CAs*, 
so it won't be an easy thing.

That's slightly more than a casual opinion.  Under pressure 
from CAcert and others, Mozilla created a large and 
well-thought-out policy that lays out their path.  Duane as 
then President of CAcert, and I, were both involved in that 
process.


> Sort of a "grass roots"/"tipping point" effort for browser 
> acceptance of your root cert. I do not believe you will
> reach this tipping point if people have to fly to 
> Germany/Ohio or wherever to show their ID documents to some
> volunteer they have never met and don't otherwise trust.


Ah... ID documents!  Are you claiming some sort of basic 
right not to show documents?  Then CAcert might claim some 
sort of basic right to not grant certs :)

OTOH, bear in mind that CAcert does not keep copies of the 
dox, and doesn't even currently note down the numbers.

So is your objection on purely political grounds?  Or 
practical/economic grounds of travelling & cost?  Or on 
privacy grounds?



Rant:  It is the case that documents are viewed with very 
different perspectives in different parts of the world.  In 
continental Europe and those that inherited the Napoleonic 
tradition, documents are much more important.  In the anglo 
world, there is a (diminishing) distaste for documents, but 
obscurely, the Americans place great faith in SSNs and 
credit, which they share widely and without apparent 
resistance, and other anglo countries (UK / AU / NZ) follow 
suit in some or other ways.

How CAcert meets this challenge is going to be very 
interesting to watch.  Our anglo governments are making it 
somewhat easier for the "identity documents" path by 
tightening up on passport issuance, and stopping people like 
americans travel to canada and bahamas without passports.

But still 80% of americans lack passports, and there remain 
massive challenges in the poor countries who simply don't 
issue "strong papers."  And aren't likely to.  My newly 
issued document cost something around 1000, and that's 
simply unobtainable for people on poor country salaries. 
Even 100 is ludicrous for an ID dox.

So alternatives may have to be found.  Without damaging the 
reliance....  That's a challenge.


> Perhaps you create a second root cert for people who want
> this sort of "quick and drity" ssl service? But IMO, that 
> should only be done if you still cannot reach consensus 
> that after 6 months of continued usage, there still
> is no additional assurance that the user of the domain
> actually owns it (which I find a bit ridiculous, but hey
> it's not my decision).


That already exists, it is the "anon" Class 1 root.  That's 
what you are using as far as I can gather.  Your complaint 
is that it's not good enough, but in order to address that 
CAcert might need to understand the full scope of your 
objection.  Political?  Economic?  Legal?

iang