Last Call Review of draft-ietf-pkix-tac-
review-ietf-pkix-tac-secdir-lc-hoffman-2009-06-25-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This is an experimental protocol for creating "traceable anonymous
certificates". These certs split the authority into two entities, one who
issues an end-entity cert with a pseudonym, and another who verifies that the
end entity has the private key.

There are many pretty deep security issues with the proposal, mostly that there
are many ways where the anonymity of the user can be exposed. In many ways,
this represents leap-of-faith anonymity. The security consideration section
swings around wildly on recommendations for how a user can maintain their
anonymity, but at least mentions a few times that this is all pretty much
conditioned on factors over which the end entity has no control.

On a personal note, I doubt that this will be at all useful in practice. The
end entity is trading off trusting one CA to not reveal personal information
against two CAs with not colluding plus having to get multiple certs over time
from different CAs. Having said that, there are probably no security/privacy
considerations that are not already covered in the document.