Cryptographic authentication of VOEvents

Bob Denny rdenny at dc3.com
Mon Sep 10 11:27:45 PDT 2012 

I have written to John and Roy privately on this issue, and wish to remain
publicly out of it. Peter Gutmann most definitely has his mind about him, and is
an engineer not a researcher. My kind of person. It is important to include in
your discussions the issues with X.509 certificates. Here is another Gutmann
missive (and a not so funny quote that appears therein):

http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
<http://www.cs.auckland.ac.nz/%7Epgut001/pubs/x509guide.txt>

>                    I knew a guy who set up his own digital ID heirarchy, could
>                    issue his own certificates, sign his own controls, ran SSL
>                    on his servers, etc.  I don't need to pay Verisign a
>                    million bucks a year for keys that expire and expire.  I
>                    just need to turn off the friggen [browser warning]
>                    messages.
>                         -- Mark Bondurant, "Creating My Own Digital ID", in
>                            alt.computer.security.

The idea of needing to go to a Certification Authority for a cert, and pay
money, etc., is a white dwarf business now. Mark Shuttleworth made a bl**dy
fortune selling these certs (Thawte, South Africa) which are basically worthless
because identity failures were unenforceable.  Verisign has to charge an arm and
a leg because they are in the U.S. and exposed to lawsuits. Big companies buy
these things for SSL on websites, period. So what do ordinary people do now for,
e.g., SSH certs? Self-signed! Absolutely worthless for identification, and no
way to add trust. This is another aspect of XML Signature that needs consideration.

  -- Bob

> Hi Norman,
>
> On 10 Sep 2012, at 02:19, Norman Gray <norman at astro.gla.ac.uk> wrote:
>> On 2012 Aug 9, at 06:48, John Swinbank wrote:
>>
>>> I have written up my thoughts in some detail here
>>>
>>> https://github.com/jdswinbank/Comet/blob/master/docs/VOEvent-OpenPGP.rst
>>>
>>> and I would appreciate your comments on them.
>> That's an interesting document (though it was producing a 404 last time I looked); thanks also for the pointer to Peter Gutmann's remarks.
> This now lives at <http://comet.readthedocs.org/en/latest/appendix/VOEvent-OpenPGP.html>; apologies for the changing URL. Anybody who doesn't fancy wading through my text to find it might want to skip directly at Gutmann's document at <http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt>.
>
> [... etc ...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ivoa.net/pipermail/voevent/attachments/20120910/0db532c2/attachment.html>

More information about the voevent mailing list