[OpenID] TransparencyCamp and OpenID (U)

[Peter Williams]

SSL is already decoupled from the DNS; it is a subprotocol that exchanges information between layer 4 entities. There once existed literal winsock plugins you could add to windows.

Https is a layer 7 protocol, concerned with the semantics of URLs. In the case of https, the layer 7 entity must validate the namespace component of the URL, which occurs using a combination of PKI and DNS.

In practice, the kernel mode implementations of layer 4 protocol handling call back into user space, to perform their layer 7 duties to talk to DNS, interpret and enforce PKI controls, and thence enforce the namespace rules of the https scheme ensuring that certificate cn= naming fields (or other multi-valued extensions these days) and host-headers/socket-bindings "align" with e nforcement "logics" such as wildcard, or absolute match, or IP match, or others.

When the baseline https application context (a collection of protocols) is augmented by a hypermedia page resolver, https gets additional semantics that impact SSL session handshakes, session resumes, connections - in line with hypermedia and the HTTP 1.1 keep alives.

So, SSL is already decoupled from DNS, by fundamental architecture. Whether some open source code using curl does or does not do that when supporting python and ruby Ive no idea. I don't build those kind of systems.

So it you want to subclass the windows moniker for https URLs so instead of PKI it does dynamic metadata exchange (where live entities do realtime signing of XRDs, much like folks do realtime signing now of SAML2 metadata for websso endpoints), you can. Presumably, one can do similar things in java, too. If you are very familiar with the Apache project software, it may be possible to do all "naturally" that with openssl too, for all I know.

What I don't know is if Windows easily allows (that obviously source code access to Apache libs easily facilitates) is third-party extension of the record layer protocols in the core SSL/TLS infrastructure, so that one;s messages and flows can access the cryptoapi-based security primitives and state machine.

> -----Original Message-----
> From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
> Sent: Monday, March 16, 2009 11:24 AM
> To: Peter Williams
> Cc: general at openid.net
> Subject: Re: [OpenID] TransparencyCamp and OpenID (U)
>
> Peter,
>
> >If we look at the assets and their properties, we can perhaps see
> >that first, Https is clearly in dire need of re-imagining (it's sooo
> >early 90s DARPA-internet in its design concept). But, it is also
> >well suited to the problem at hand, if we can break the DNS hegemony.
>
> Are you suggesting that we might be able to decouple SSL from DNS,
> for example with "smart" browsers informing the user that "site.com"
> is using a new key/cert and prompting to select nicknames to
> differentiate between "site.com" with the old key/cert and "site.com"
> with the new, but still allowing the user to remember *both* for the
> purpose of future browsing?
>
> -Shade