On Sat, Dec 26, 2015 at 10:11:31PM -0500, John C Klensin wrote:
And even that equation tends to be complicated by the
observation that the trust relationship, as far as certification
of identity is concerned, is with the registrars (and, in some
cases, their agents and resellers) rather than with the
registries. At that point, the number of trusted intermediaries
gets back toward order 40 or 100, not one, unless the question
is "do you control this domain" rather than "are you who you say
you are".
It hasn't been "are you who say you are" for quite some time, not
the vast majority of certificates. EV certificates are rather rare
with the exception of some of largest sites. Certainly the "Let's
Encrypt" CA will not do anything resembling "are you who you say
you are".
Once the question does boils down to whether the party requesting
the certificate controls the domain (rather than the "brand"), the
only party with an authoritative answer to that question is the
registrar on record for the domain.
Provided the domain is registrar-locked, DNSSEC gets one about as
much confidence as one can get in answer to this more modest
question. The party who authorized the DS records via the registrar
has administrative control over the domain's DNS and thus can
delegate authority over any keys published at and below the zone
apex.
This is certainly not a solution to phishing and the like, but it
can provide useful keying material for application protocols.
-- Viktor.