David,
I have to agree with Stefan and Steve on this.
1) DNS may be mis-trusted (falsely treated as a trusted entity)
with disastrous results, but properly designed applications would
permit PKI to fix that, not fail because of it. A signed object
containing a DNS name permits detection of DNS failures.
Any purely DNS-based identity registration process is, of course,
as weak as DNS itself, so PKI at a minimum would have to use
something like credit card identity proofing through multiple
channels (physical mail of a registration secret + home
telephone activation) if it wishes to claim better assurance
for real (vs. pseudonymous) identities than that provided by DNS.
2) It is not the REST model that is of concern - short CRLs,
OCSP responses, or their signed SAML equivalents could be
retrieved just as easily using RESTful requests (SOAP/resource)
as with LDAP, CMC, or SOAP/RPC. As Stefan says, it is the
signed object generated by a trusted PKI component that counts,
not the method by which it is obtained. Of course, a CA
with any particular level of assurance could operate a WebDAV
interface that yields the same results as its CRLs, but you
intend WebDAV revocation responders to not be limited
to CAs, thus greatly expanding the attack surface of the system.
Is there a way to leverage all three portions of the proposal
(REST conceptual model, REST protocols, and naming models)
while preserving the end-to-end (PKI to consumer application)
properties of signed objects?
What the webdav scheme gives you is instant revocation
status, which CRLs do not give you, but the tradeoff is
having to trust the repository.
If "instant" is the goal, I believe it would be better
achieved by morphing the repository into a basic assurance
PKI component with its own keys. A CA's CPS can document
any deliberative process it wants (including none) before
revoking certs, thus permitting delegated responders
(WebDAV or other) to achieve any desired tradeoff between
response time and accuracy.
V/R,
Dave