Hi Mischa and Wilco
at a Moonshot meeting in the UK earlier this year I pointed out that one
needs to place an awful lot of trust in a trust router, and I likened
its role to that of a CA, since it introduces two unknown parties to
each other via the DH exchange. You are saying that the trust needed in
a TR is even bigger than that in a CA, and I tend to agree with you.
Given that CAs have CPs and CPSs to document how trustworthy their
procedures are, and have audits to validate that they abide by them, I
said that TRs would need to do something similar, but this went down
like a lead balloon and was not something that people wanted to hear. As
Joss's reply indicates, I think he wants to keep trust at the buddy
level, between friends who know and trust each other, and of course this
works well for small closed communities. But it wont work for large
disparate communities where relationships are more tenuous and many
transitive trust links are needed, and it certainly wont work at a
global Internet scale. But then the existing CA PKI system does not work
perfectly at the global level either, even with CPs, CPSs and audits,
and we have many documented cases of the system breaking down. (We also
have cases of governments purposefully subverting it as well.) This is
the possible future for trust routers.
regards
David
On 01/07/2014 10:28, Josh Howlett wrote:
> Hi Wilco,
>
>>> The assumption here is that the CA operator (or its RAs) can be trusted
>>> to
>>> issue a certificate bearing the peer's true identity more than the Trust
>>> Router operator can be trusted not to modify the DH exchange.
>> The problem is slightly more complex than that, but it depends on scale.
>> Is there 1 trust router operator or is there a network of operators?
>> If the trust router network is federating internationally, is there 100%
>> trust in every trust router operator? How far does that trust go?
>
> That trust only has to stretch as far as my paranoia will allow it. If in
> connecting to a particular operator means exceeding my paranoia threshold,
> I can either peer with a more trusted operator, or else connect directly
> with the peer concerned.
>
> I personally anticipate a network of operators -- if that doesn't
> transpire, we have failed. I believe that they will compete on their
> corporate trustworthiness, the quality and scope of their trust
> connectivity, and cost.
>
> (In the particular case of R&E, I don't anticipate competition between
> operators. It is clear that different communities within R&E will
> gravitate towards those organisations that they have an affinity with
> already.)
>
>> Does that trust go as far as them knowing the identity and all SAML
>> attributes of authentication sessions that are initially routed through
>> that trust router?
>
> No: SAML messages are transported directly from the IdP to SP, and not
> through the TR network.
>
>> This is true, but even a compromised CA cannot perform a
>> man-in-the-middle attack on the system without compromising either the
>> routing or the trust router itself. False certificates can be issued by
>> CAs, though this is definitely not common practise, nor is it a feasible
>> angle of attack without compromising an entire CA.
>
> Or an RA...
>
>> Large scale handing
>> out of false certificates would mean the end of the CA (Look at what
>> happened to DigiNotar).
>
> Sure. But none of this negates my point that CAs (or KDCs, etc) cannot
> also be malicious actors or subverted.
>
>> Do you trust the certificate your bank issues
>> and is signed by a 3rd party? Why (not)?
>
> I trust it to the extent that the rendering of the padlock in my browser
> results from a layering of turtles so deep and complex that in practice my
> trust decision actually boils down to my faith in the corporate
> trustworthiness of Apple and the other actors providing my software, UK
> consumer protection law, and my identity theft insurance policy. The
> identity of the 3rd party that signed the certificate (e.g., whether it
> happens to be VeriSign or Comodo) would not factor into my trust decision
> at all. All we have in common is the byzantine tower of turtles that we
> call the Web PKI.
>
>>>
>>> Of course a Trust Router, as an online system, could be compromised by a
>>> malicious actor more easily than an offline CA. However it is worth
>>> noting
>>> that Trust Routers only need to be visible to their immediate clients
>>> and
>>> peers unlike, say, an OSCP responder that must be exposed to the
>>> Internet
>>> at large. It makes no sense to trust an issuer to verify an identity
>>> more
>>> than you trust the same issuer to retract that claim.
>>>
>>>
>> Well, sure, but the main problem is that the Trust Router is both in
>> charge of routing and identity verification. This is a single point of
>> failure from a security standpoint and could compromise an entire
>> federation.
>
> Again I don't see this as different from any other trusted third party.
> Sure, you could move identity verification to another trusted third party,
> but I don't understand how moving the problem solves it.
>
> Josh.
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
|
