I am also worried about the developments with the NSA. I guess we are on
the same page there.
The PKI concept by itself does not say how many trust anchors you need
to use at your client. You are complaining about the way how the WebPKI
looks like and how the CA/Browser Forum is handling their business.
Allowing new trust anchors to be added means giving new CAs a chance to
enter the market. Let's say we only have one trust anchor. Would you
like that more? Probably not. I am not saying that there are issues with
the CA/Browser Forum but it is just difficult to pick the right number
of trust anchors in a browser.
One challenge is, of course, nobody trust every CA and the intersection
of what everyone's trusted CA list is the empty set. That may give you
the impression that the PKI model is inadequate and there are, of
course, other models as well that provide different properties (for
example, the AAA model). I am not sure you will find them appropriate
either. Have you had a chance to look at them?
There have been various ideas on how to improve the PKI, and the IAB has
a security program that aims to make some progress in that area. I am
currently working on a draft update of
http://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution based
on the feedback I have received. Have you had a chance to look at the
different approaches people had suggested?
Finally, in your threat model, however, the use of a DH will also not
help since you have, as stated, the MITM attack at the ISP.
Ciao
Hannes
Am 17.11.13 23:43, schrieb Masataka Ohta:
Hannes Tschofenig wrote:
I know that it is very popular to bash the PKI system but there are
security differences between an anonymous DH and PKI deployment that
provides server-side authentication.
Assuming active MITM attacks both on ISP chains and CA chains,
what, do you think, are the differences?
A concrete example is especially welcome.
Note that we, none US citizens, must expect such attacks, because
active MITM attacks of NSA on people without US citizenship are,
under US legislation, even legal.
And: Keep in mind that we have various activities in the IETF ongoing
that help to improve the security of the PKI.
As PKI is fundamentally insecure against active attacks, there is
no point of improving it.
I do realize stupidity level of IETF, especially on DNSSEC.
Masataka Ohta