ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using DNS system as a Global Root Certificate Authority - possible ?

2015-12-27 07:42:32
from [Patrik Fältström] [Permanent Link] 
On 27 Dec 2015, at 13:38, Eliot Lear wrote:


One would like to believe that name constraints as specified by RFC 5280 
could be useful, and yet experience seems to show otherwise.  Perhaps all is 
not lost.


I do not have much to say part from the interaction I already have had with 
CA/B Forum[1], and what SSAC view on the difference between DNS and traditional 
cert structure is[2].

My only point was that it is not at all the case that all registrars can make 
changes to any subdomain of a domain managed by a registry, which was what I 
read in what John wrote:


At that point, the number of trusted intermediaries gets back toward order 40 
or 100, not one, unless the question is "do you control this domain" rather 
than "are you who you say you are".


The registry do keep track of which ones of the registrars can make changes, so 
not every registrar (i.e. intermediary) can become "trusted".

If I misunderstood what he wrote, my apologies.

   Patrik

[1] SAC-057: https://www.icann.org/en/groups/ssac/documents/sac-057-en.pdf
[2] SAC-075: https://www.icann.org/en/groups/ssac/documents/sac-075-en.pdf

Attachment: signature.asc
Description: OpenPGP digital signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, Eliot Lear
Next by Date:  Re: Registrant identity, was Using DNS system as a Global Root Certificate Authority - possible ?, John Levine
Previous by Thread:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, Eliot Lear
Next by Thread:  Re: Registrant identity, was Using DNS system as a Global Root Certificate Authority - possible ?, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]