IETF Logo Mail Archive

Re: Using DNS system as a Global Root Certificate Authority - possible ?

"Patrik Fältström " <paf@frobbit.se> Sun, 27 December 2015 06:35 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92B51B2AC9 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 22:35:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oef7gp474tO9 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 22:35:44 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4C0A1B2AC8 for <ietf@ietf.org>; Sat, 26 Dec 2015 22:35:43 -0800 (PST)
Received: from [192.168.1.118] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id 97A9822F9B; Sun, 27 Dec 2015 07:35:41 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: John C Klensin <john-ietf@jck.com>
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
Date: Sun, 27 Dec 2015 07:35:41 +0100
Message-ID: <23F80B32-B026-4122-8EFD-52EA70A9D5B9@frobbit.se>
In-Reply-To: <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.c om> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_1E8F35A2-D89A-45FB-A8ED-9B2A650092A2_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/EFIbmMFegcp3utEGDVHz5LDKLcw>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 06:35:45 -0000

On 27 Dec 2015, at 4:11, John C Klensin wrote:

> At that point, the number of trusted intermediaries
> gets back toward order 40 or 100, not one, unless the question
> is "do you control this domain" rather than "are you who you say
> you are".

It is not that bad as the domain in question is bound to one and only one registrar, which is a mapping that the registry is keeping track of. It is not the case that any registrar can do any change to any domain name.

So, with todays CA system, any CA can sign a cert with any domain name in the CN.

With the DNS and DNSSEC, only registries in the hierarchy from the root can publish the DS, and only one registrar can pass the DS to the parent for publication.

   Patrik

v2.23.0 | Report a Bug | By Email