Re: Trivial PKI Question

[Stephen Kent <kent@xxxxxxx>]

At 10:44 PM +0100 3/3/03, Anders Rundgren wrote:
> A "TRIVIAL" PKI QUESTION
> -----------------------------------
>
> Assume that you have a business message like a purchase order
>
>     <Order>
>         <From name="Big Buyer Corp.">
>             <OurRef name="John Doe"/>
>         </From>
>         <To name="MegaCar International"/>
>         <Item>10 Medium-sized SUVs</Item>
>         <Comment>Make it quick please!</Comment>
>     </Order>
>
> Now assume that "Big Buyer Corp." is an advanced organization
> using digital signatures.
>
> ==============================================
> Question:  How should the identity as expressed in the document
> relate to the identity as expressed by the signer's certificate?
> ==============================================
>
> Among the complications we find
>
> 1.  The PKI-identity is presumably "strong" as it is vouched for by a
>      CA, while the identity in the business document is only "claimed"
>      by the entity itself.  ==> The PKI identity is governing?

Whether the identity in the Subject name is accurate depends on who 
the CA is and whether the CA has vouched for a name for which it is 
authoritative, or whether it has done some checking on the likely 
accuracy of some name for which the CA is not authoritative. So, I 
think we already disagree about one premise of your question.

It is clearly desirable that there be an exact match between a name 
in a cert and the name in the document, IF the authorization policy 
requires that level of authentication. As others have noted, another 
likely scenario is that the RP needs only to know that the cert was 
issued by an organization that will assume liability for the actions 
of the individual to whom the cert is issued, irrespective of the 
specific ID in the cert and in the document.

> 2.  The hierarchical naming system used by PKI (X.500) is completely
>      different to the various naming schemes used in businesses.

"completely different" is an odd construct in English, and arguably 
just plain wrong in this contect. If I am issued a cert that has a 
subject name of the form "C=US, O= Verizon, OU= BBN Technologies, CN 
= Stephen Kent" that is a hierarchic name that is readily mapped to 
my identity in my professional context, and thus is is not at all 
"completely different" as you assert.

> 3.  Some PKI-folks claim that signatures should be tied to individuals.
>      Does this mean that the signer's certificate in the sample should
>      identify John Doe of Big Buyer Corp.?

Some LAWS require that signatures be tied to individuals in some 
contexts. It's not just a matter of opinions expressed by "PKI 
experts." But, you have not provided a sufficient description of the 
context to determine if there is a problem here or not.

> 4.  The receivers (relying parties) are automated processes supposed
>      to securely handle similar messages from numerous business parties.

A reasonable goal.

> 5.  Current e-commerce standards like ebXML and Web Services does
>      NOT address this basic question.

You have failed to articulate a well-formed question, so the 
conclusion above is not supported by your arguments.

> My own conclusion is that PKI was created to support e-mail where
> these questions do not arise.  For other types of messaging, PKI in
> its current shape does not scale well, or at least creates as many
> new problems as it was meant to solve existing ones.

Definitely wrong. E-mail security encounters some of the problems you 
allude to above, e.g., the mismatch between the Subject DN and an 
e-mail adddress as a suitable, native ID form.  X.509 v3 addressed 
this problem with the Subject AltName extension and the RFC822address 
name form. But, the assertion above is naive, at best.

> Regarding #1, I believe that most business systems ignore the PKI-
> identity due to #2, #3 and #4.  Although a bit weird, the logic behind
> that is that if an entity having a known key/cert is "lying", they will
> sooner or later get in trouble anyway.  The drawback is that this will
> be found out by a *human*, and usually only *after* a malpractice has
> been performed.

I have no idea what "most business systems" do, but since we often 
see people making poor design choices, I would not be surprised by 
any claims of what may be done. Still, remedial security measures are 
very common in many financial transactions and so we ought not say 
that such an approach is not "secure" absent a more thorough analysis 
of the threat model, etc.

> A LONG-TERM REMEDY
> -------------------------------
>
> To create a foundation for more frictionless PKI-secured e-business,
> I think that there *long-term* should be a one-to-one mapping between
> [basic] business message identities and certificate identities.
> As the business community is never going to adopt X.500 naming, as
> well as having their own naming problems, this will likely require
> changes on both sides.  A possible scheme using the currently only
> globally functioning naming system (DNS/URIs), is that entities are
> uniquely defined by two elements:

any time someone uses the term "frictionless" I know we've moved into 
marketing hype land.

> - A naming domain (name space) based on a URI like: "http://www.visa.com/cc";
> - A local identifier in that domain like: 4555-5555-2244-8888
>
> Although the example identified a credit-card, the scheme works for just
> about any kind of object or entity.  An advantage of using HTTP URIs is
> that you usually can get further information "by clicking on the link".

Oh. This is just another advertisement for your notions on how to 
"fix" everything that is "wrong" with X.509.

Nevermind,

Steve