Re: Using DNS system as a Global Root Certificate Authority - possible ?

Hi Patrik,

On 12/27/15 6:35 AM, Patrik Fältström wrote:
> On 27 Dec 2015, at 4:11, John C Klensin wrote:
>
> > At that point, the number of trusted intermediaries
> > gets back toward order 40 or 100, not one, unless the question
> > is "do you control this domain" rather than "are you who you say
> > you are".
> It is not that bad as the domain in question is bound to one and only one 
> registrar, which is a mapping that the registry is keeping track of. It is 
> not the case that any registrar can do any change to any domain name.
>
> So, with todays CA system, any CA can sign a cert with any domain name in the 
> CN.
>
> With the DNS and DNSSEC, only registries in the hierarchy from the root can 
> publish the DS, and only one registrar can pass the DS to the parent for 
> publication.
One would like to believe that name constraints as specified by RFC 5280
could be useful, and yet experience seems to show otherwise.  Perhaps
all is not lost.  My understanding is that the browser crowd in
particular have begun to tighten their requirements for having a CA in
their cache.  At least [1] seems to indicate so.  Name constraints are
an interesting area of perhaps some continued work.  That is- it seems
to me that *all* CAs should have some Name Constraints.  Further, it
also seems to me that very few CA certs should themselves be
self-signed.  Here's the problem, if ever there were a brown field, this
is it.  That requires some serious navigation through the installed base
to make a change.  Along these lines, I think many of us were quite
fascinated by Google's "interaction" with Symantec[2] since it seems to
represent a potential change in the dynamic.

Eliot

[1] https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf
[2]
http://www.pcworld.com/article/2999146/encryption/google-threatens-action-against-symantec-issued-certificates-following-botched-investigation.html

signature.asc
Description: OpenPGP digital signature