Global Unique Secure Names

In this chapter, we will explore another feature of Eccentric
Authentication. We combine what we have so far with other
security mechanisms out on the internet and do something new, again.

We create global unique, human meaningful, secure, distributed, anonymous identities.

That’s quite a mouthful. Let’s break it up and discus the parts in turn.

global unique

Remember from chapter 2 (Anonymous Logins) that the single requirement
before signing a client certificate is that it’s nickname must be
unique. We register each certificate at a central registry to verify
that property in chapter 4. And we call certificate authorities that
do sign multiple certificates for a single nickname to be
dishonest, untrustworthy.

That is for a good reason. By assuring that names are unique, we can
use these as identifiers. We can refer to the certificate by its
nickname. To state it in another way, we can say: “Ask mr. Bob” and it
is clear that there can only be one person that holds that
certificate. What happens here is that we can fetch the certificate
and in it the public key. With that key we can send encrypted messages to mr
Bob, whomever he is. There is only one mr Bob at our site.

There is one piece missing. We only have the garantee that there is
only one mr Bob at our example dating site. There can be many other
sites with a person having a certificate with a nickname “mr
Bob”. Some might belong to the same person but many of these accounts
probably belong to other people.

How are we going to distinguish between those mr Bobs. Simple: we add
the sitename to the nickname on the certificate. The certificate will
read “mr Bob@@datingsite.nl”. There can be a “mr
Bob@@InternetLiebe.de” or a “mr Bob@@google.com”. But don’t go looking for love at google… ;-)

The problem with domain names is that until recently there was no way
to make sure you were not redirected to a scammer. With DNSSEC, we
have that guarantee. There can be only one “datingsite.nl”,
“InternetLiebe.de” and “google.com”.

There is still the risk that a government forces a DNSSEC-registrar to
change the registration to some hostile site. We will deploy DANE to
counter that threat in the next chapter, 7 “Censorship
resistance”. See there for details how we do that.

When we combine the FPCA and DNSSEC with DANE we can create global unique names.

human meaningful

The name “mr Bob@@datingsite.nl” is worldwide unique. It points to
only one certificate. We have the global registry of (dis)honesty to validate that
there is no other certificate that bears the same user name and site
name.

We have global unique yet human readable names

This means: we have global unique, human readable names. You can print
your nickname on a business card and everyone can retrieve the
corresponding certificate with the public key. Unlike other
cryptographic protocols, there is no need to validate fingerprints,
nor a web of trust. This makes it easier to use than other
cryptosystems.

secure

Once you’ve received a certificate, there is no way that the
Certificate Authority can take it back. The signer has no control
over the certificate once it’s handed out. Although the site-operator
controls what people can do on his site when people log in to
it. And he can decide to blacklist certain certificates from logging
in entirely. He can’t control people from using the certificate as
identity.

certificate is identity

Once you have the certificate, it is a means to identify you to
others. It is effectively a new identity of you. One of many you
probably posess. That’s why the eccentric authentication protocol
doesn’t offer the means to retract any client certificate. Once you’ve
given someone an identity, it would be rude to take it away.

Whether you decide to use the certificate to log in at the site that
signed it or use it as mail-identity with an independent message box
is entirely up to you.

It means that the people that request a certificate at your FPCA get
to use the site name as part of their identity. This means that
this protocol should not be used where you need such control over
client names. So gmail.com and hotmail.com are examples where it could
be used very well, while for google.com and microsoft.com you’d better
use a more controlled (and less anonymous) form of signing.

distributed

There is no single point of control.

The identities (nickname@@sitename) are completely
decentralised. Anyone who registers a domain name for a web shop can
set up a FPCA. In fact, anyone who opens a web shop is encouraged to
do so. It offers the most easy way for potential customers to sign up
for an account at your shop.

The global registry of (dis)honesty from chapter 4 is conceptually a
single database. In practise it should be built of a network of local
registries that share the certificates they receeive amongst each
other. It’s probably the only way to deploy that service as it’s
expected that people will have many certificates.

There is the single hierarchy of DNS-names. Although it might be scary
to put all eggs in that single basket, it is not so scary as it
looks. Because there is only a single hierarchy, many people are
watching it like a hawk. It cannot be changed without someone noticing
and raising an alarm. It is ‘Politically secure’: To many different
opinions to agree on anything in common.

And if some domain names would be changed by the powers that be, it
does not lead to loss of privacy. Chapter 7 has all the details.

anonymous identities

As you might recall from earlier chapters, there is no need to provide
any personal details when signing up for a certificate. It is as
anonymous as you want to be. As certificate holder, you decide if and
when to reveal personal details.

If you use a sytem like Tor to hide your connection point to the
internet, no one can figure out who you are when you connect to a
service.

Even though you can be completely anonymous, you still have the
freedom to create Certificate Authority of your own and sign only your
own certificate. Off course, everything you do with that certificate
wil be tied to your personal identity. But as celebrity, that’s exactly your intention.

It doesn’t mean that you cannot sign up at other services with an
anonymous certificate. When you use Tor, it’s very hard for people to
connect that anonymous account to your real identity. Unless you
decide to publish that fact.