On 9 April 2014 21:15, Steve Crocker <steve(_at_)shinkuro(_dot_)com> wrote:
My own opinion is related but not identical. I agree solutions 1 and 3
are failures; 1 doesn't provide the trust and 3 doesn't scale. Solution 2
is also problematic because the government tends to overreach and there
isn't a single government.
DNSSEC provides a base platform to build upon. It doesn't claim to
provide the level of trust the CA system tried to provide. That's a key
strength, not a weakness.
DNSSEC, and DANE, allow you to provide a "Domain Validated" public key,
much like the cheap/free certificates currently available from CAs, but
more reliably and simply. I think the same level of trust is there either
way, except that the cheap/free CA certs are very weakly validated in
practise.
CAs can provide actual identity assertions, and in private situations
authorization information.
I suspect that if we can get DANE deployed, we'll see most of the cheap and
somewhat useless CAs vanish, and only those with reasonable tust remaining
survive on fully validated, EV et al, certs, actually, but that's besides
the point.
I wonder if we can't use DANE, S/MIME, WebFinger and a little
sensibly-applied PKI, so that:
1) You could find out assertions of what CA (if any) users of a particular
domain use for end-user client certificates via a TLSA record. Say _users
IN TLSA ...
2) We can use WebFinger to find the certificate itself, and therefore a
possibly signed assertion of actual identity, both WebFinger and this
certificate protected currently by stock PKIX (and in the future, DANE).
I think this gives you essentially everything anyone might want, but for
added bonuses, we could do a web-of-trust thing hanging off WebFinger
(publish any signatures anyone else is prepared to give you) or via public
services.
However, it's probably been suggested before and shot down before, so feel
free to point me to its death notice. :-)
Dave.