Re: Netscape Changes RSA tree

• To: marc@mit.edu
• Subject: Re: Netscape Changes RSA tree
• From: Paul Leach <paulle@microsoft.com>
• Date: Wed, 26 Apr 95 20:30:39 TZ
• Cc: owner-www-security@ns2.rutgers.edu, rens@imsi.com, wcs@anchor.ho.att.com, www-security@ns2.rutgers.edu

|
| Why are you designing the tree part into your system?  It doesn't
| really help, because I still need to consider how much I trust a given
| CA's certification policy.

Because it will likely reduce in practice the number of such CA's that 
I have to evaluate.

|
| It also limits things unnecessarily.  If MIT's organizational CA fits
| the policy for more than one "tree", why not allow it to be part of
| both?

It doesn't.

Remember: Who certifies that it fits the policy for more than one tree? 
*That* certificate is part of that tree.  If I get a certificate that says:
	Name: Marc@MIT.EDU
	Key: xxx
	CA: MIT.EDU
	Policy: certifies anyone who can pay tuition of $21000/yr TDM (-:)
Then how do I know whether MIT really enforces that policy?  There must 
be a certificate
	Name: MIT.EDU
	Key: yyy
	CA: CIA.GOV
	Policy: very good verification of claimed policy
How do I know (etc.)?  Eventually, it comes to a list of CAs that I 
have verified, outside the system, to enforce certain policies, and 
acquired their public keys. If MIT's policy is OK by another "tree", 
then there will need to be another certificate
	Name: MIT.EDU
	Key: yyy
	CA: ARPA.GOV
	policy: almost no verification of claimed policy
If you want me to believe that a message signed with your key is really 
from you, and you don't know if I trust MIT directly, or ARPA or CIA, 
then you'll have to include all the above certificates in 
communications with me signed by your key "xxx".

At this point in this example, we have two (trivial) trust trees:

CIA.GOV -> MIT.EDU -> MARC@MIT.EDU

ARPA.GOV -> MIT.EDU -> MARC@MIT.EDU

Now imagine that CIA and ARPA certify 100's of universities and they 
certify 1000's of students and staff each.  I still only need to trust 
one of two CAs in order to have some degree of confidence in the 
identity of messages from those students/staff. With no hierarchy, I'd 
have to have out-of-band ways of knowing the association between 
O(100,000) keys and their owners. Even with one level, I need to have 
out-of-band knowledge of 100's of keys and their owners. Clearly, the 
hierarchies are a win.  But if there is only one hierarchy, I might 
have no choice but to trust the CIA.

| And regardless of all that, I might choose to sign a relative's
| or friend's key directly.  I don't want to have one key pair as my
| "Marc's CA" key, and another for day to day operations.  (Actually, I
| probably do, but I should be free to make that decision.

Again -- where is this ruled out?

|
| Tell me again what's wrong with a plain web?

Tell me how you find the mutually trusted CA in a web efficiently, and 
how you avoid needing a large number of certificates from a large 
number of CA's in order to get one from a CA that I trust.

| You almost certainly
| want to have well-known policy bits encoded in each signature, but
| that's not something you hardwire into the design.

More than that -- the config for the app must  have a list of CAs that 
user of that app trusts. In a totally anarchic web, it'll be too big.  
In a forest of trees, you only have to remember the public key for the 
root of each tree -- something that we think is going to be not too 
large a number.

Paul

• Previous: Re: Netscape Changes RSA tree
• Next: Re: Re- Hierarchies and Webs of [trust]
• Index(es):
  • Index
  • Thread