Re: [xri] trust profiles for XRD

[Brian Eaton <beaton@google.com>]

The problem with the proposal is that it assumes that a transfer of
ownership means that all previous data on the domain will be lost.

- alice.name is owned by Small Company LLC, using one of these special
new certificates that is promised to be non-reassignable.

- Small Company LLC gets bought by another company.  Can the new
company get the Small Company LLC cert renewed?

- Small Company LLC reincorporates in another country for tax reasons.
 Can they get the cert renewed?

- What if Small Company LLC sells just the domain?

- What if Small Company LLC goes bankrupt and the domain is bought at auction?

- What if Small Company LLC accidentally lets the domain lapse and
then renews it the next day?  What if they renew it next year?

- What if Small Company LLC has a data center catch fire and loses the
private key?

There is no magical way to address these policy issues.  We can't
build software (or a spec) that assumes magic will happen to address
them.

If you've got serious security concerns about reassigning
certificates, my advice is not to use a PKI, and to give up on
automatic rotation of keys.  Use self-signed certs that you exchange
with people you trust, using channels you trust.  Or use a CA with
policies around reassignment that you like.

Cheers,
Brian

On Thu, Dec 18, 2008 at 8:50 AM, Sakimura Nat <n-sakimura@nri.co.jp> wrote:
> For b), please refer to the post that I did a couple of minutes ago.
> Simply put, it does not... well, it just means that we cannot use the raw DNS based uri as CanonicalID.
>
> Could you kindly elaborate a)?
>
> =nat
>
> ________________________________________
> 差出人: Brian Eaton [beaton@google.com]
> 送信日時: 2008年12月19日 1:26
> 宛先: Sakimura Nat
> CC: Ben Laurie; George Fletcher; XRI TC
> 件名: Re: [xri] trust profiles for XRD
>
> Doing this would break
>
> a) key rotation.
> b) legitimate reassignment of domains.
>
> On Thu, Dec 18, 2008 at 8:18 AM, Sakimura Nat <n-sakimura@nri.co.jp> wrote:
>> One of the easiest way is to rely on a registry that makes sure that the identifier is not going to be recycled.
>> Properly run CA's higher assurance cert's Subject is one such example.
>> XRI registry's persistent XRI (i-numbers) is another example.
>>
>> Rest is as described in the previous mail.
>>
>> =nat
>>
>> ________________________________________
>> 差出人: Ben Laurie [benl@google.com]
>> 送信日時: 2008年12月18日 16:53
>> 宛先: Sakimura Nat
>> CC: George Fletcher; Brian Eaton; XRI TC
>> 件名: Re: [xri] trust profiles for XRD
>>
>> On Thu, Dec 18, 2008 at 7:11 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
>>>
>>>
>>> Ben Laurie wrote:
>>>>
>>>> On Wed, Dec 17, 2008 at 11:20 AM, Nat Sakimura <n-sakimura@nri.co.jp>
>>>> wrote:
>>>>
>>>>>
>>>>> Thanks Brian for the write up.
>>>>>
>>>>> I have added comments to the wiki.
>>>>>
>>>>> Basically, it is kind of unfortunate, in addition to what George has
>>>>> pointed
>>>>> out, if we consider the case of domain owner change into the scope, it
>>>>> breaks.
>>>>>
>>>>
>>>> Surely any signing scheme breaks if the owner of the signing authority
>>>> can change?
>>>>
>>>
>>> In a long run, a signing authority of the XRD and the owner of the domain
>>> does not have to match.
>>> Sining authority for my XRD that has my CanonicalID is me even if I lose the
>>> authority over the domain.
>>
>> So how does this work?
>>
>