[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call on draft-ietf-pkix-tac-03

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: WG Last Call on draft-ietf-pkix-tac-03
From: Stephen Farrell <stephen.farrell@xxxxxxxxx>
Date: Wed, 13 May 2009 22:19:05 +0100
Cc: Stefan Santesson <stefan@xxxxxxxxxxx>, ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <C624A231.1D5A%stefan@xxxxxxxxxxx> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.21 (X11/20090302)



Stephen Kent wrote:
>> *4) Conceptual question
>> *I have another conceptual question.
>>
>> Wouldn't it be possible to achieve the same anonymity assurance
>> without doing the blind signature (step 4-5).
>> This is also the question using Stephen's and David's altered model.

Well, I think there may be a few ways to go at it that differ
from the current draft. My concern was more with the communications
paths used rather than an objection to the use of the threshold
scheme.

>>
>> The AI already knows that the request is genuine because the user
>> provides a valid token.
>> The AI can now issue an anonymous certificate that is unknown to BI.
>> In case of problems, AI releases the token that can be sent to BI for
>> identification of the user.
>>
>> What extra level of assurance for anonymity is given to the user by
>> the threshold signature scheme?
>>
>> I can see that it prevents AI from issuing certificates on its own,
>> and thus is an assurance that there actually exist a BI record that
>> the BI will honor in case of problems, but if AI was trusted to only
>> issue valid certificates based on valid tokens, then what is the gain?
>> The follow up question is: If there as a reasonable mode where this
>> protocol can be used without deploying the threshold signature scheme,
>> then wouldn't it be valid to describe that as an optional scenario
>> within which the basic protocol can be used?
> 
> The use of a split signature scheme contributes to the argument that the
> TAC CA is taking precautions to help preserve user anonymity in the
> issuance process. 

I'm not sure I follow that - how does the scheme show the CA is taking
precautions? The entities involved could still collude regardless of the
scheme, or could honestly not collude even if no threshold scheme were
used.

> The use of this mechanism is not directly visible to
> the user, as you and others ave noted. However, in many contexts, a CA
> operating a TAC service may need to satisfy accreditors that it is
> providing this service in a trustworthy fashion. This is what motivated
> the KISA folks, who perform assessments of CAs in their country, to call
> for use of the split-signing approach. Thus the use of split-signing is
> not an arbitrary, academic proposal, but rather is motivated by the
> experience of a group of folks who perform CA evaluations and who want
> to have an RFC that they can cite as the basis for their evaluations of
> TAC CAs.  I think we should defer to their experience as CA evaluators
> in this instance.

Deference? In the IETF? That's optimistic. ;-)

However, since this is aimed at experimental I'd be fine if some
text were added that pointed out the alternatives and the differences
between the various flows. That way, the issue could be revisited
if/when the spec were put on the standards track.

S.


> Steve

Follow-Ups:
- Re: WG Last Call on draft-ietf-pkix-tac-03
  - From: Stephen Kent

References:
- Re: WG Last Call on draft-ietf-pkix-tac-03
  - From: Stefan Santesson
- Re: WG Last Call on draft-ietf-pkix-tac-03
  - From: Stephen Kent

Prev by Date: Re: straw poll
Next by Date: ASN.1 straw poll, take 2
Previous by thread: Re: WG Last Call on draft-ietf-pkix-tac-03
Next by thread: Re: WG Last Call on draft-ietf-pkix-tac-03
Index(es):
- Date
- Thread