[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri-editors] URI authority resolution
Gabe, the trust chain in your scenario doesn't make sense to me. The XRID you describe as being resolved from "@community*evilmember" asserts that it is equivalent to "@!1!2!3". And you're saying it is "@microsoft" that is really equivalent to "@!1!2!3". That's cool - so there are 3 delegation chains represented here - two i-name chains and one i-number chain. 1) "@" delegates to "*community" delegates to "*evilmember". 2) "@" delegates to "*microsoft" (we should avoid real names in these examples). 3) "@" delegates to "!1" delegates to "!2" delegates to "!3". In your scenario, "@community" is the authority that would return the XRID for "*evilmember". And if that XRID contains a digitally assigned assertion that "@community*evilmember" is equivalent to "@!1!2!3", then its the "@community" registry that can't be trusted, not "*evilmember". Presumably any registry that is going to issue assertions of equivalence between XRIs is going to require authentication from the registrants of those XRIs. So before "@community" enters into its registry and starts signing assertions that "*evilmember" is equivalent to "@!1!2!3", "@community" should be asking the "@!1!2" registry for authentication that the registrant of "*evilmember" is also the registrant of "@!1!2!3". On the other hand, if the XRID from the "@" registry asserts that "@microsoft" is equivalent to "@!1!2!3", the it's the @ registry (or its registrars) that should authenticate that the registrant of "@microsoft" is also the registrant of "@!1!2!3". Either way, it's still up to the resolver to decide what registry it trusts. But the whole idea of trusted resolution is predicated on following a chain of trust down the delegation chain, right? I'm very familiar with this scenario as we're building the foundation for it in the XDI.ORG Global Services Specifications right now. Or have I missed a larger point in your scenario? =Drummond -----Original Message----- From: Wachob, Gabe [mailto:firstname.lastname@example.org] Sent: Monday, November 29, 2004 3:00 PM To: Davis, Peter; Drummond Reed Cc: email@example.com Subject: RE: [xri-editors] URI authority resolution I'd argue that even your trusted rez example can't be trusted. Consider the following, where everything is signed by a single trusted root (ie the @ trust root): @microsoft "maps" to @!1!2!3 @community*evilmember "maps" to @!1!2!3 Both are digitally signed by their owners (@microsoft and @community*evilmember respectively). Even if @ polices its namespace, it doesn't follow that it can police the XRI Descriptors which are in delegated namespaces below @ such as @community. If we allow the "maps" assertion to be two way (ie "equivalence"), then some resolvers could be tricked into thinking that @!1!2!3 can be mapped to @community*evilmember (since equivalence can be stated as a bidirectional mapping). Whats wrong with this? Consider this attack: 1) A resolver resolves @community*evilmember into an XRI Descriptor has statements about local access services that point to the evilmember. The resolver caches the XRI Descriptor and notes the equivalence statement for future use. 2) A resolver resolves @microsoft into @!1!2!3 via a "equivalence" 3) Because @!1!2!3 is asserted to be the same as @commmunity*evilmember, the resolver uses the cached XRI Descriptor for @community*evilmember instead of freshly resolving @!1!2!3 (ie transitive equivalence) 4) The resolver is tricked into using the local access services of @community*evilmember rather than the ones actually run by microsoft... The problem lies in step 3 where a strong form of bidirectional & transitive equivalence is assumed. Thats a problem, even if everyone is digitally signed a la trusted resolution. Assertions should only be made "outwards" from what is resolved and not "inwards" to what is resolved (if that makes sense). -Gabe __________________________________________________ firstname.lastname@example.org Chief Systems Architect Technology Strategies and Standards Visa International Phone: +1.650.432.3696 Fax: +1.650.554.6817 > -----Original Message----- > From: Davis, Peter [mailto:email@example.com] > Sent: Monday, November 29, 2004 2:42 PM > To: Drummond Reed > Cc: firstname.lastname@example.org > Subject: RE: [xri-editors] URI authority resolution > > > so, i agree with Gabe, in that equiv. statements are at the addressing > layer, and we should use a term such as 'mapping' when > discussing other > xri's which point to the same representation. > > trustable mapping is performed via trusted resolution, which > returns an > assertion of equivalence... that is, an assertion that > @Microsoft/(+website) is another name for the resource > representation of > http://www.microsoft.com/ or @!1!2!3/(+website) > > 'synonym' is as good a term as any i suppose, tho linguistically, > synonyms tend to imply a more lax equivalence. > > --- peterd > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xri-editors/members/leave_workg roup.php.