At the recent security conference in San Diego I was having a beer
with an English and a Slovenian X.509 expert. I asked them whether
1. A certificate states that the person identified by the given
X.500 name owns the private key that corresponds to the given
public key.
or
2. A certificate states that the person identified by owning the
given public key (which he can easily prove) is entitled to the
specified position in the X.500 directory tree.
They picked #2.
Note that these correspond to two very different reasons why a
certificate might be revoked, one of which is that the key has
been compromised and the other that the person concerned has left
the company and someone else with the same name has joined. The
latter might be more common in some places than in others: A Korean
friend once told me that they have a saying "If you throw a brick
out the window you'll hit Kim".
Well subsequently another expert was scathing about the idea that you
can be identified by an identification number that might need to be
revoked, and I confess that this is a problem though not I think
insurmountable. However if you'll bear with me on that point...
When I get an authenticated mail message I firstly want to know that
it has not been forged: that it is from the person identified in the
From header. What I want to go with the signature is a certificate
saying that the person with the signing public key is entitled to a
particular e-mail address. Why bring Certificate Authorities into
this? It seems obvious to me that that certificate should be signed by
the postmaster(_at_)whatever(_dot_)domain(_dot_) The postmaster's certificate
should be
signed by the domain with a chain leading up the DNS hierarchy and
accessible through the DNS if necessary.
I think the assumption that people will want to do business with other
people based on their owning a position in the X.500 hierarchy is
dubious. They would rather have a certificate saying "this person
is associated with bank account number xxx" and signed by the bank,
or "this person owns mastercard number yyy" and signed by Mastercard's
well known public key.
Certification Authorities seem to me to get in the way of sensible
certificates. Even in the simplest case how do they ascertain that a
person who turns up at their door is entitled to a particular X.500
DN? Even if he proves that he works for the named organization the CA
would have to know about that organization's internal name structure
and where the given person currently fits. The sensible answer adopted
by PEM is that the CAs are the same as the X.500 administrators, and
clearly the same sort of rule is needed for certificates about e-mail
addresses and certificates about Mastercard numbers: they should be
signed by the entity responsible not a separate CA.
It is still possible to use ASN.1/DN to handle these sorts of
certificates in a backward compatible way.
If we were to treat the public key as the entity identifier then it
would be helpful to have a directory structure leading from the public
key to information about that entity (that that entity wants to make
public). If you are interested in a plan for how to do that look in
spk.txt on ftp:://ftp.mel.dit.csiro.au/staff/smart. I'd be interested
in any comments on that proposal.
By the way I am not suggesting that humans would use these giant
numbers: they would would use one of the names that are certified to
correspond to the key, and in an internet/e-mail context that would
be the e-mail address.
Bob Smart