Re: [ietf-dkim] First cut on certificate extensions draft

My apologies for being late to this. I was not doing a lot over theholidays.


On Dec 28, 2008, at 9:38 AM, Hallam-Baker, Phillip wrote:

I am happy to work with people to 'do the same for PGP'. But I don'tthink that the two projects should be combined and I don't thinkthat PGP and S/MIME are quite as interchangeable as you appear tosuggest.

I think they're quite as interchangeable as he suggests, and I saythis as someone who produces software that does both OpenPGP and S/MIME. Certainly for this purpose they're isomorphic.

PGP keys are not designed for third party accreditation, sincesupport for accreditation is what I am attempting to add here, a PGPscheme would be an entirely different draft.

I might agree with the second half of that statement, but not thefirst. Of course PGP keys were designed for third party accreditation.Thawte and others did that for quite some time, and might actuallystill do it. But you can answer that better than me, as Thawte is aVersign company now.

Actually as will become clear, I would not propose using OpenPGPkeys for authentication at all. But I would propose using DNSsignaling as a means of driving deployment of S/MIME and PGP forencryption. I don't think that DKIM+OpenPGP buys you anything thatyou do not get with either DKIM or OpenPGP by itself - otherwise Iam sure Jon Callas (ccd) would have proposed it. But being able touse the DNS to leverage key discovery for encryption in the same waythat DKIM enables authentication would be very valuable indeed. AndI propose as much in my book the dotCrime Manifesto, and alsoexplain why it is essential to do BOTH PGP and S/MIME in that casenot just one.

I'm not sure how to respond to this. I think a major feature of DKIMis that it doesn't require certificates at all.

I buy that many people see value to taking the DKIM key that is in theDNS, wrapping it up into a certificate, and certifying it at somelevel. Certainly, you're in the business of doing that, and youwouldn't be spending work on certificate customers without thereasonable expectation of paying customers who see value in that.

When we were designing DKIM, we were discussing certificates in DKIM,and I said then that there's nothing stopping you from taking thatvery RSA key and creating a cert request with it and doing whateveryou want to with it. That's still true.

*I* don't know why one wants to do that. I don't see the value. Ithink the value in DKIM is that it's simple. But I understand thatthere are people who like complexity in their life and are willing topay other people to make their life complex. Whatever.

Note that OpenPGP is Pretty Good PRIVACY and NOT authentication. Aswith S/MIME the authentication was an afterthought (otherwise DKIMwould not have been necessary). Confidentiality was the main story.

Gosh, that makes sense. Since OpenPGP is *privacy* and notauthentication, I suppose we can't do S/MIME in anything that doesn'thave a MIME encoding, right?

I think you're wrong on that. The major use that I know of for OpenPGPis signing things, which I think counts as authentication.

The major reason we didn't use either of them with DKIM was that itwould have required a change to the way email was formatted, and themajor ISPs had a requirement that DKIM be invisible to the naive user.That meant that putting the signatures into the headers was the onlyviable solution.

OpenPGP can be used to provide for integrity, but only after you addin quite a bit of additional mechanism like key servers. Phil Z. didhave some really interesting insights into how to do authenticationright as well - but he didn't put them into code.

I'm sorry, this is so wrong on so many ways, Phill.

(1) OpenPGP is a *standard* for a *protocol*. It is not code.

(2) OpenPGP is a descendent of what the original PGP was, and containsmany things that weren't in the original PGP, and comparing OpenPGP toPGP 2 would be like reducing S/MIME to being nothing more than PEM.

(3) Many people have put advanced authentication concepts into codethat uses the OpenPGP protocol.

I know you don't want to do this, but you're setting up a straw man ina forest with a lot of trees and trying to cut down the mightiest treein that forest with a red herring.

As with the PKIX approach, there is only value to doing an OpenPGPbinding if you are going to get something more from it than youalready get from the existing DKIM DNS key distribution scheme. Thatmeans doing more than the absolute bare bones PGP key signing. Howmuch more I don't know, but certainly more than just a fingerprintand probably more than one key signing. We are entering areas thatare certainly possible with PGP in theory, but practical experienceis thin.
The way I would add in support for PGP to DKIM would be to add in alink to XKMS which serves as a multi-protocol key-server.Significantly, one of the authors of XKMS, Brian LaMachia was alsothe author/maintainer of the MIT Key Server for PGP. (Some otherDKIM folk were also involved)

Then, uh, why not do all of this via XKMS? XKMS is a beautifulprotocol that has as its only flaw that there's no integration intoexisting systems. Since there's no major practical thing that it does,no one does it. Why not rescue it with this, which is something it isuniquely positioned to do?

In short -- why invent something new when XKMS is an existing protocolthat does it? (There are a number of reasonable answers that I canthink of to this question, like that what you're doing is not generic,and generic is often more like a bug than a feature. Nonetheless, youdescribe what looks to me like a reasonable answer to this issueyourself. Use XKMS, and get all of them.)

A PKIX cert Path is currently 4000 bytes plus. That is a measurementtaken from the PayPal cert chain. The point here is that you want tohave a self contained path, that means that you need to have atleast three and quite often four or five certs in the chain (offlineroot, online signing cert, end-entity cert plus typically an offlinesub-root for an affiliate or other cross-certified root). Each certhas a minimum of one public key and one signature, which for RSA2048is 512 bytes per cert for a start. You also need info in anaccreditation cert that pertains to the thing you are accrediting(like the brand logo, subject name, certificate policy, extendeduses etc). And you also need legal disclaimers to incorporate theCPS and the relying party agreement by reference.
It is important to realize that Phil Z's critique of PEM was notjust 'you are doing everything wrong'. His (well founded) criticismwas that they were solving the wrong problem and in particular theywere solving a problem that was far too complex and difficult andthat was requiring too much mechanism. Once you decide to do morethan base DKIM you are doing more than Phil Z. thought sensible in1992. You are not going to end up with something that is as slim andelegant as simple PGP. You key blobs are going to be at least aslarge as for PKIX cert paths, probably larger.

Sure, but there's no reason why you can't define certificateextensions for generic certificate formats with about three paragraphsextra text, especially if you just invoked XKMS, or RFC 4398.

If the real reasons you don't want to do it are that you don't seecustomer demand for doing anything other than a PKIX certificate, andthe people who want it want to do other things like tie it into EVcertificates, logotypes, and so on -- then just *say* *so*. That's afine reason. The argument you're making is muddled and wrong. Itwouldn't be hard to do if you wanted to do it. The point is that youdon't want to.

Jon

PGP.sig
Description: PGP signature

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html