the idea of setting up a server that everyone in the world would trust was
suggested in RFC 1422 (IPRA), in 1993.
It did not succeed terribly well then, and people have tended to look very
skeptically upon ideas that require some sort of "single root" since then.
What's your reason to believe it could succeed this time?
The short answer; I'm not sure. A PKI system is technically a good mechanism
to provide non-repudiation. I think there is tremendous benefit in non-
repudiation which makes it worth while. Non-repudiation is all that I'm
suggesting.
The long long long answer (forgive the lengthy answer :)
Some differences to this proposal(CAS) compared to RFC 1422:
1422: Based upon X.500 naming convention which is not in general use.
CAS : Based upon DNS naming convention which in foundational to internet use.
1422: Use PKI to validate foreign users. Foreign being email addresses in a
different domain, the RCPT TO address.
CAS : Require data privacy. The first SMTP server MUST verify the MAIL FROM
the last SMTP server MUST verify the RCPT TO. Every SMTP would append
a digital signature.
1422: Single root the IPRA.
CAS : Each TLD would be the root of it's tree very similar to DNS today. The
bridging certificates are provided as a service so a server with a name
ending in COM could trust a server with a name ending in NET.
1422: Use PKI to encrypt messages.
CAS : MAY use PKI to encrypt messages. This is not part of the requirement
for a CAS system. It is a feature of PKI that could be used.
1422: IPRA is certifying body and provider of certificates.
CAS : Each domain would provide it's own certificates. Let me explain how
I see this implemented because this is where (I think) the scalability
and biggest differences comes in.
There would be a CAS record in DNS to designate the authoritative CAS server.
This server would own all certificates for it's domain (example.com). Every
domain owner would be REQUIRED to have a CAS server just like every domain
owner is REQUIRED to have a DNS server. The hierarchy just manages the trust.
COM would provide certificate for EXAMPLE. EXAMPLE would provide
certificates for WWW, MAIL, LDAP, whatever... I would suggest that each email
address could have a certificate too. The
com(_dot_)user(_at_)example(_dot_)com certificate
would be managed by CAS server for EXAMPLE.COM too.
In order to send "trusted" email from com(_dot_)user(_at_)example(_dot_)com to
net(_dot_)user(_at_)example(_dot_)net the MAIL.EXAMPLE.COM would 1)verify
com(_dot_)user(_at_)example(_dot_)com
with or without a certificate, 2)sign the email and 3) forward it
to MAIL.EXAMPLE.NET. MAIL.EXAMPLE.NET would 1) verify
net(_dot_)user(_at_)example(_dot_)net
2) query it's own CAS server which would recursively query CAS servers up
the NET tree across the bridge and back down the COM tree to EXAMPLE.COM
CAS server. The CAS server would then pass the public key to
MAIL.EXAMPLE.NET so it could verify the signature from MAIL.EXAMPLE.COM and
accept the email, and 3) sign the email, and finally 4) forward the email to
net(_dot_)user(_at_)example(_dot_)net(_dot_)
The CAS servers would rely upon DNS for resolving IP addresses as you would
expect. But, I would recommend that CAS IP address would be REQUIRED as
manual entry similar to the default gateway and DNS server entries. I do not
believe that DNS can provide trust by itself. I do not believe that CAS can
provide trust by itself. Both the DNS and the additional setting for CAS IP
address would be required to provide independent path for auditing. You
can't have one server that just provided you an answer to verify itself,
because any attack to compromise a server could and would authenticate
itself. At least two servers (DNS and CAS) would need to be compromised to
successfully complete an attack.
Also, I would expect two types of CAS servers. One being the authoritative
CAS server for authoritative public keys. The other being resolving CAS
server for querying (and cache-ing) public key answers. Note, resolving CAS
servers would need to be simple to implement but also need to be uniquely
named. I believe there would be trust assumptions possible for Private-use
networks(as defined in RFC 3330) that also mask to a local address.
Also, each entity could have multiple key pairs. I see the need for 1)single
use and 2)limited timestamp certificates. For example, com.user has web
based access to email. When working from the office com.user would have an
established PKI. Planning for vacation or business trip, com.user would
create a set of key pairs with a timestamp for each day. So entering a
private key on an untrusted computer would only cause limited damage. A
single use key may also work in this situation. The private keys could be
stored on some device like a san disk or floppy disk.
Also, PKI needs some assistance for initially establishing authenticity. I
would propose using Shared Secret Keys(SSK). Because certificates can be
revoked additional overhead would be required to rely upon PKI for initial
startup. So, each internet based server(IBS) would be REQUIRED to have an SSK
with it's resolving CAS server. There might be multiple CAS servers, just
like DNS, but the number of servers would be manageable. Exceptions for
omitting the SSK MAY be provided for private-use networks (as described in
RFC 3330). The SSK would need to be entered via some out-of-band method.
The IBS would have to know 1)it's own private key 2)the shared secret key and
3)the CAS IP address. The resolving CAS server would have to know 1)the IBS
public key and 2)the shared secret key. Upon IBS startup, it would query the
CAS providing it's public key. The CAS would respond with 1)the SSK and
2)the CAS (it's own) public key. The CAS would encrypt these with the IBS
public key. The IBS would decrypt the message and verify the SSK. The IBS
would have a trusted CAS public key! All public servers including CAS
servers would have to include this extra step during startup.
Also, CAS could be used for SERVER-A to directly establish a PKI trust with
SERVER-B. This could be used for B2B or legal type transactions. SERVER-A
and SERVER-B would have to self maintain this key pair for their trust
relationship it would not be maintained by the CAS system. This would be a
business decision and would require some command to initiate this trust
transaction. The business server only needs to know the FQDN to setup the
trust because it could rely upon CAS to initially establish the trust. This
would truly help prevent MiTM attacks.
If you are reading this, I may actually have an implementation that merits
further review. Thanks for your inquiry.
Best Regards,
Sal
Salvatore Mangiapane
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf