From: Brad Templeton (brad@templetons.com)
Date: Wed Oct 17 2001 - 13:31:39 CDT
On Wed, Oct 17, 2001 at 10:00:25AM +0000, Charles Lindsey wrote:
> In <20011016121428.D19909@main.templetons.com> Brad Templeton <brad@templetons.com> writes:
>
>
> >On Tue, Oct 16, 2001 at 09:35:54AM +0000, Charles Lindsey wrote:
>
> So if A certifies that this obscure injecting site in Tibet is indeed who
> it claims to be, and if B certifies that the obscure certifier A is indeed
> a competent certifiers whose certificates ought to be believed, and if C
> (who is a well-known-worldwide certifiers who claims that _everybody_
> should trust him) certifies that B is OK (that's a chain of 4
> certificates), and if NONE of them keep any records as to whom they have
> certified, or the evidence they based their certification on, then how can
> they even contemplate renewal of the certificates when they expire?
You can't renew a certificate _after_ it expires without going through
a repeat of the certification process. You renew a certificate before
it expires automatically if there are no known problems with the
certificate. You don't need to keep track of the certified, but you
do need to keep track of revoked certificates, of course. (Not just
the CAs, actually, but every site.)
You don't renew the revoked certificate.
USENET is based on trust and volunteerism. The main goal in securing it
is not to distrust everybody, but to be able to prevent abuse.
A USENET system would on the whole try to give the benefit of the doubt,
a presumption of good will to anybody willing to volunteer to manage
something on the net. However, the difference is certificates give
the power to take that away.
For most of its history, USENET had no security and today it has just
a little. Remakably, the "approved" header even still works far more than
I would ever expect, though spam in moderated groups is increasing.
Now you still make secure what you can readily make secure, and you
don't deliberately leave holes behind because of laziness. But you
do leave "holes" behind when it comes to trusting people, because you
can always revoke the trust.
> Clearly, they are all incompetent, which means that no site is likely to
> trust any of them. Certainly I wouldn't. And in such a lax regime, how
> easy would it be for Hipcrime to get a plausible looking certificate?
A certificate to do what?
You ask for more trust, more quality on certificates that do more
powerful things. I would expect certificates of root power over an
entire hiearchy would be quite carefully allocated and scrutinized.
I expect lesser scrutiny as you go down the line.
As I have noted, for the certificate that lets you post and cancel as
a given domain, I think the same security used to control ownership of
the domains by domain registrars is clearly all we want to do, since if
they can hijack the domain, the ability to forge or cancel a usenet
posting is the least of worries.
Note as well that I strongly advocate that everywhere it's easy to do,
each operation on USENET have an "undo". In effect "cancel" is an undo
for posting. I recommend "uncancel" be added to the control message
list. Of course, reposting is sort of an undo for cancel but it
sends the messages out of order, and people end up reading them twice, and
threads are broken unless there is really, really good supersedes management.