IP: Broadband, Chip, ICANN, Global PKI, same story?

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Peter Bachman <peterb () cequs com>
Organization: Cequs Inc.
Date: Fri, 28 Jun 2002 14:27:17 -0400
To: farber () cis upenn edu
Subject: Broadband, Chip, ICANN, Global PKI, same story?


Frank Ferrante wrote:

> > The Internet
> > Engineering Task Force (IETF) is working diligently on methods to implement a
> > global PKI operation.  Their biggest hurdle is how best to provide "Trust"
> > that the certificates linked to Domain Names and IP addresses is capable to
be
> > supported by the process.   If they succeed and if Microsoft, with the call
to
> > Intel and its Chip competitor to move out and do this now, is listened to (I
> > don't own any Microsoft but I do own Intel), then the demand for the new
> > computers with security built in will drive sales through the ceiling.

Caveat Emptor.

Those following the ICANN meeting in Bucharest, will notice the same
consistent themes of intellectual property, media content, openess or lack
thereof, digital rights management, interests in global naming, and the need
for uniqueness within any naming or numbering system.

In fact this is how ICANN states it's position of being responsible for
"uniqueness". 
"Specifically, ICANN coordinates the assignment of
the following identifiers that must be globally unique for the Internet
to function: Internet domain names, IP address numbers, protocol parameters,
and port numbers"

As such the IETF PKIX roadmap notes, (and other's have also stated the same
thing) that the lack of effective global directory (X.500/LDAP) naming is
one factor in holding up to some extent "the process".

Thus we have various struggles for legitimacy in naming. Or the battle over
unique identifiers.

Especially when naming translates to some form of management or control, in
terms of identity, or objects, and not just a way to locate something.

I think the fact that most companies have ignored .biz is somewhat
instructive, a lot of them just registered that had .com already. The
potential of new GTLDs may represent potential income streams for the
providers, but obviously the message is some form of control, either from
the standpoint of the individual, a corporation, or government.

A new GTLD will not help you integrate your enterprise business software,
consistent identity, combined with strong authentication and authorization
will. Putting identity (especially secure identity) onto the back of the DNS
horse is a burden which has never quite fit, when there are other protocols
which do it better. Secure DNS is hard enough just in itself.

The IETF PKIX roadmap is useful reading for more background info.

http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-08.txt

DNS had nothing to do with original idea of certificates...in the design of
X.509. But DNS is pervasive and works. X.500/LDAP style naming is there
because that's the design.

What see is a convergence of interests, occuring way above the level of the
consumer, which may or may not affect their ability to actually do something
useful.

Does the average consumer care who runs the root servers? Would they
care if they could not reach someone and that "universality of service" was
balkanized?

Browsers will enforce to some degree what is, and what is not a "valid"
certificate. But functionally, what's important is that it turns on the
crypto...and secondarily it attempts to validate, or presents to the
consumer the choice as to whether the information is in fact valid. I wonder
how many people have actually ever looked at the expired certificates in
their key store? Thus is the individual a good gatekeeper for their own
computer? Some corporations will not allow you to manage certificates on
your own browser.

For PA residents, we can renew our car registrations on-line, (a great time
saving's service of e-government). Recently I was presented with an invalid
certificate, from a CA's "Trust Network", and it was largely blank in the
required attribute fields.
However, as a consumer, I clicked though anyway, because it was about to
expire, and I didn't want the problem of having an expired car registration.
Now this is an "official" document, a fairly important one, for what it ties
together, insurance, fiscal responsibility, and identity for my car's VIN,
title, etc. to the state's computer system, and related LE functions. There
was a comment field which I noted to them they presented an invalid
certificate in the consumer survey. I don't expect a reply.

But as a consumer, I have my registration. So does it matter? I care in
terms of higher insurance costs if it promotes fraudulent claims... I care
in terms of potential identity theft, I care about spoofed spam, and web
sites. 

If I can get to a site via DNS do I care? If the crypto works, so much the
better? 

As technologists, we care if these things work correctly, because we realize
that otherwise it's a house of cards, and the "trust" collapses. The
collapse of service providers is not a non-trivial event. When companies
invest heavily in new technology, and useful technology they deserve a
payback. That was the idea behind growth in productivity. There's an
implicit promise of progress. It's not all Darwinian market forces.

As Franklin noted, we need to be very concerned as to the pursuit of "useful
knowledge" to keep our economy going.  And we are awash in it. There's
nothing wrong with a secure chip, it's a useful technology, but we can't
divorce technology from the business climate, or the legal environment. And
whether we want that level of enforcement at the processor level, (one ring
to bind them) is something that consumers will have to carefully consider,
as well as their choice of gatekeepers.


-pb


----------------------------------------------------------------------------
--
peterb () cequs com
cn=peter bachman o=cequs inc. c=US
Peter Bachman
Cequs Inc.
----------------------------------------------------------------------------
--


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/