Re: Using DNS system as a Global Root Certificate Authority - possible ?
Phillip Hallam-Baker <phill@hallambaker.com> Sun, 27 December 2015 02:52 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B277E1AD481 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 18:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXJVDCYGyLUO for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 18:52:47 -0800 (PST)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4222C1A0056 for <ietf@ietf.org>; Sat, 26 Dec 2015 18:52:47 -0800 (PST)
Received: by mail-lb0-x235.google.com with SMTP id pv2so94183010lbb.1 for <ietf@ietf.org>; Sat, 26 Dec 2015 18:52:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=V0m4gDIcGOWl8gsczPHjlV5z80zbtCAi9Kidm/osrcc=; b=JG86CZ2SLG/pyg3c2VWEiIo3GLbTm9g/sv8rJvcEVLBBc6KRF8mlu7mXwghEL2Amb+ J8C6k73AjJiJoIIYfvFd34aktSnoW59My2BQMBmP7iagbVsb+4v8PV0v9rKx4uYTQOIg vGdDDEvrx4t5y3X2Thati5ow3dZd3iiOcRYPyd7ZkZHYB87d+CFGzfm9JrFjrdu/Ea6s VohhQMCjrYiSqHezYh80vypShnNTwYzuaxYpQ3zlICTReF7jmmf0sqnhVkP9nFqBzg/c hRcQeB5m52l7P4b7lE14M7jvbLolhFtNADJ0WURFHbNPOWTIUv+95q9F64cWcZzAvlil n7Ng==
MIME-Version: 1.0
X-Received: by 10.112.129.233 with SMTP id nz9mr17060133lbb.112.1451184765421; Sat, 26 Dec 2015 18:52:45 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.33 with HTTP; Sat, 26 Dec 2015 18:52:45 -0800 (PST)
In-Reply-To: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com>
Date: Sat, 26 Dec 2015 21:52:45 -0500
X-Google-Sender-Auth: oZixMuooXFqvHu8iYqoYo1my1Xw
Message-ID: <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.com>
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Alexey Eromenko <al4321@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/M69DUuJqg-0DIrOcLwtZpwBEp2c>
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 02:52:48 -0000
On Sat, Dec 26, 2015 at 3:22 PM, Alexey Eromenko <al4321@gmail.com> wrote: > Hi all, > > Assume DNS system added a new resource record (RR), which allowed to > publish the public key for a particular FQDN. > > How secure or insecure that would be. > > Is there a way to *securely* retrieve such information from, for > example, authoritative > DNS server, without any middlebox (such as DNS proxy) mangling it ? > > And having TLD DNS servers as the top "Root Certificate Authorities". > > so X.509 SSL certificate chain could look like: > > - "." > +- ".com." > |--+ "company_abc.com." > |-----+ "www.company_abc.com." > |-----+ "mail.company_abc.com." > |-----+ "ftps.company_abc.com." > etc... > > I am not yet sure if this is possible or not, just loud thinking... > In theory, if possible, this should simplify certifications and make > it easier to start an HTTPS server, cutting Verisign and friends out > of the loop. > > What do you think ? VeriSign Inc. has been out of that loop for 5 years. Their current business is running core DNS. One of the issues people don't seem to consider in these schemes is that merely reducing the number of trusted intermediaries from ~40 to one doesn't actually remove reliance on trusted third parties, it merely removes all choice in the matter.
- Using DNS system as a Global Root Certificate Aut… Alexey Eromenko
- Re: Using DNS system as a Global Root Certificate… Warren Kumari
- Re: Using DNS system as a Global Root Certificate… Alexey Eromenko
- Re: Registrant identity, was Using DNS system as … John Levine
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Viktor Dukhovni
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… Eliot Lear
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta