2023-02-27
Future Internet PKI schemes need to be bootstrapped through web PKI
On the Fediverse, I said
Thesis: any realistic, viable Internet PKI scheme in the moderate future will have to bootstrap from web PKI, because web PKI is where the usage is to drive people to address ('solve' in a non-mathematical sense) the hard problems. You don't literally have to use HTTPS, but you need public TLS.
Counterpoint: end to end encrypted messaging. But I think that broadly that has an 'introduction' (identity) problem.
(Brought on by thinking of DNSSEC cf <@tqbf post>)
A core element of any public key infrastructure (PKI) is identifying things, because by themselves public keys are relatively useless; you care about using public keys to talk to something or authenticate some information, and for that you need to know who you're talking to or who is giving you this information. Identifying things on the Internet can sound simple ('root of trust' everyone says in chorus) but it turns out to be very hard to do in practice in the face of attackers, misaligned incentives, mistakes, and other issues. There is exactly one Internet PKI system that is solving this problem in practice with a demonstrated ability to operate at scale and despite problems, and that is public web TLS.
Public web TLS is doing the hard work to deal with these problems on an ongoing basis because HTTPS websites are a dominating thing that people care about on the Internet. Various organizations put a lot of money toward this, operating significant infrastructure and spending expensive people's time on both operational issues and design issues. The realistic odds that any new Internet PKI scheme can either get those level of resources or duplicate the effectiveness of the results without them is low. However, a new scheme can get many of the benefits by bootstrapping itself from web PKI in some way, relying on web PKI for at least a first level of identification protection.
DNS over TLS and RFC 8461 SMTP MTA Strict Transport Security (MTA-STS) are both examples of bootstrapping additional Internet PKI using web PKI. MTA-STS directly uses HTTPS as part of this bootstrapping; DNS over TLS merely relies on public (web) TLS for identifying things, and so depends on all of the pieces of modern TLS that make it hard to sidestep that. By contrast, DNSSEC is a completely independent Internet PKI scheme, one that lacks protections such as an equivalent of TLS Certificate Transparency (see eg this Fediverse post).
The counterpoint to my thesis is end to end encrypted messaging systems, which don't make any core use of the web PKI ecology. However, these have an 'introduction' problem, which is the question of how you establish both your identity within the messaging system and the identity of the other people you're talking to. In high security environments, often this requires out of band mechanisms to verify in-system identities in some way (you and your counterparty might meet in person to exchange identifying 'safety numbers', for example).
(Web PKI can't be used to solve this problem because web PKI identifies names on the Internet, in a hierarchy, not people's abstract identities within some system.)