ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Opening up the debate on PKI / WoT / future of OpenPGP

2015-04-20 11:53:21
from [Phillip Hallam-Baker] [Permanent Link] 
On Mon, Apr 20, 2015 at 11:22 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> 
wrote:

Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:


Looking forward, I want to eventually get to one PKI which combines
Web of Trust and Hierarchical concepts. I think I can demonstrate
mathematically that it is possible to achieve a higher work factor
that way than with either approach on its own. There are use cases
that I cannot satisfy with one or the other.


I'll note you can do that, today, with OpenPGP.  You run a CA -- start
signing OpenPGP keys with your CA Key.  Boom.  You're done.


There are some features of a new PKI that I think are fairly obvious.
It is clear for example that the energy will come from the OpenPGP
world. It is also clear that ASN.1 is as popular as a dose of ebola
and there must be no new ASN.1.

But if we do have to do a lot of new stuff, I want to go to JSON
rather than trying to muck about trying to extend the 1990s style
structures.


I don't see what "new stuff" really needs to be done.

Seriously, please tell me what (other than Name Constraints) OpenPGP is
missing in order to support your concept of a PKI?  (And I'll note that
even NC can be done in OpenPGP via notations)


It is not necessarily a question of capabilities as much as the effect of rails.

PKIX has a set of rules that are very useful and clarifying for cases
where the trust provider is an authority on the assertion being made.
If I have a CA that is bound to example.com then it can make
authoritative statements about *.example.com and *@*.example.com. If I
have an offline key it can create an intermediate that is almost the
same as it.

Such rules have value in the situations where they work. But they
don't work everywhere.

What we need is the PKI equivalent of structured programming. PKIX is
Pascal. PGP is BASIC. Yes, you can do anything with IF-THEN-GOTO. But
you probably should not try.


I don't think that it is going to be sustainable to have a PKI for
email and a PKI for non-email in the long term. There has to be merger
at some point. That was the origin of the assertion infrastructure
that became SAML when we were doing angle brackets. Now its curly
braces...

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] details of 4880bis work, Ben McGinnes
Next by Date:  Re: [openpgp] details of 4880bis work, Werner Koch
Previous by Thread:  Re: [openpgp] Opening up the debate on PKI / WoT / future of OpenPGP, Derek Atkins
Next by Thread:  Re: [openpgp] Opening up the debate on PKI / WoT / future of OpenPGP, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]