2nd Annual PKI Research Workshop
Domain Name System Security (DNSSEC) Status Update
Sam Weiler, Network Associates Laboratories
Weiler reported that the DNSSEC code works, but has not deployed because of a
lack of IETF standards and end-client support. The latter is especially
problematic — without client support, you just can't get to a DNSSEC-protected
site. Weiler described this as "the kind of thing that has CEO secretaries
telling IT to turn it off." DNSSEC allows delegation, but doesn't let you
prevent a delegate from making subdelegations.
Attribute Certificates for Managing and Delegating Privileges
Markus Lorch, Virginia Tech
After surveying how privilege management generally works now — via account
creation and deletion — Lorch argued that privilege holders should be able to
delegate privileges directly. Among Grid researchers, researchers and managers
are typically the ones making the delegation decisions; they want to be able to
implement those decisions as well. Lorch is working on attribute certs
supporting single privileges, simple roles, resource policy statements, and
revocation statements.
Efficient Security for BGP Route Announcements
Meiyuan Zhao, Dartmouth College
S-BGP uses PKI to secure BGP; Zhao's work involves investigating the
computational cost of doing so, and making the process more efficient. Taking
advantage of the structure of BGP processing, the new method, called
Signature-Amortization (S-A), is designed to reduce cryptographic overhead
by amortizing the cost of private-key signatures over many messages. S-A
provides convergence times as good as or better than those offered by the highly optimized S-BGP,
but without the complications and costs of caching and DSA precomputation. A
tech report is available.
An Object Oriented Extension to X.509
Anders Rundgren, X-OBI AB
Where RFC 3280 makes a CA cert the parent of an arbitrary set of next level
certs (high-assurance, low-assurance, etc.)
OO-PKI makes a CA cert "a descriptive container" of a uniform set of child
certs. Rundgren noted that OO-PKI can interface with SQL and is compatible with
almost all existing end-entity cert profiles.
HANDLE: A Secure Global Name Service
Sam Sun, CNRI
Sun noted that his work on HANDLE has involved lots of interaction with the IETF
URN Working Group. The service allows you to define your own data types, and
each handle has its own administrator record. Sun described the HANDLE system as
"a collection of handle services, each of which consists of one or more
replicated sites," and as a kind of "DNS for humans." HANDLE is being used to
identify published works, and is being put forward to store personal information
including certs. Sun is also interested in developing a prototype for
application to the web of trust.
Connecting Estonian State Registers
Margus Freudenthal, Cybernetica
Estonia wants to implement paperless communication between state agencies.
Freudenthal described a two-level authentication system: an employee
authenticates to the agency where they work, which authenticates to the agency
that has the desired information. Everything is logged (these logs are legally
admissible), and a central authority settles disputes. DNSSEC is used to
distribute certs and revocation information. The system connects 20 agencies so
far and is heavily used; so far there have been no major problems.
The Happy Fun Anonymizer
Sean Smith, Dartmouth College
Referring to super-DMCA, Smith described the Anonymizer as "still legal in 44
states"; he also noted that it's mostly the work of a student of his who grew up
in a police state, and who therefore sees "anonymity as a civic good thing." The
Anonymizer takes you to the Google cache of a site rather than the site itself,
letting the user get the information stored on a controversial server without
actually having to visit it. Smith described this project as "proof of concept
that if Google ran an anonymizer service, it could be a lot better than the
existing ones."
Defunct Intermediate CAs
Burt Covnot, Bank of America
Bank of America has a large number of web servers with certs that expire at many
different times; Covnot described how Bank of America manages the process of
replacing these certs before they expire.