--On Sunday, December 27, 2015 2:42 PM +0100 Patrik Fältström
<paf(_at_)frobbit(_dot_)se> wrote:
My only point was that it is not at all the case that all
registrars can make changes to any subdomain of a domain
managed by a registry, which was what I read in what John
wrote:
At that point, the number of trusted intermediaries gets back
toward order 40 or 100, not one, unless the question is "do
you control this domain" rather than "are you who you say you
are".
The registry do keep track of which ones of the registrars can
make changes, so not every registrar (i.e. intermediary) can
become "trusted".
If I misunderstood what he wrote, my apologies.
You did misunderstand the point I was trying to make, which
isn't about "who can make a change" but about "who can put the
name there in the first place", i.e., make an initial
registration. The issue, as usual, comes down to what threats,
and threat model, one is concerned about. If, as Victor's note
seems to suggest, the main concern is being able to find a key
with which to encrypt and have some reasonable confidence that
whoever controls the key also controls the relevent domain, then
that is one sort of problem. If one is concerned about assuring
the user that the site is the intended one and, more to the
point, that anything encrypted to a particular key (whether
found/certified through a "normal" X.509 PKI mechanism or
something DANE-like) will be readable only to the intended
recipient, then that is a different sort of problem.
As a handy real-world example, consider
ford.com
fordmotorcompany.com
fordcarcompany.com
The first two use the same registrar, the same name servers, and
have admin information that points to Ford Motor Company's
corporate HQ information. The third uses a registrar in
Australia, identifying information that is as hidden as
possible, and a web site that apparently won't expose any
information at all unless one allows it to run scripts on the
local machine. Nothing prevents such a registration, nor
prevents if from being used in a deceptive manner, nor setting
up keys that are bound to it, except the integrity of the
registrar, and I (much less a typical user) has no practical way
of determining whether "Fabulous.com Pty Ltd." is trustworthy.
Moreover, were Ford to let "fordmotorcompany.com" lapse --
intentionally or not -- there is nothing in ICANNs systems or
that of Verisign (as the registry operator for COM.) that would
prevent FraudRUs, operating as, or as a reseller of, an
ICANN-accredited registrar, grabbing the name, generating new
keys and/or certs, and committing evil deeds against any user
who stumbled upon that site, perhaps through habits or
established bookmarks.
So, again, it depends on what problem one is trying to solve,
which threat models are of interest, etc.
best,
john
[1] SAC-057:
https://www.icann.org/en/groups/ssac/documents/sac-057-en.pdf
[2] SAC-075:
https://www.icann.org/en/groups/ssac/documents/sac-075-en.pdf