Re: Using DNS system as a Global Root Certificate Authority - possible ?
Phillip Hallam-Baker <phill@hallambaker.com> Sun, 27 December 2015 04:11 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08951B29E3 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 20:11:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaHO81_QKfoP for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 20:11:07 -0800 (PST)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9907F1B29E1 for <ietf@ietf.org>; Sat, 26 Dec 2015 20:11:06 -0800 (PST)
Received: by mail-lb0-x231.google.com with SMTP id oh2so79989741lbb.3 for <ietf@ietf.org>; Sat, 26 Dec 2015 20:11:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=YZFXdILYM3W8yTCAPM7zJdfwjGqV45tp8gKiYSao16M=; b=mrqpR58cdkybvjU28rhcgYtPnMn6m1PnQzwml9WwMJ2hGlRz/mJXO3f6ylGTIRZvlM Ouh8WdmhvQwxhWKjlByoSLhq3QXvDBXLzMlvevXinQDQe1ws21kOtsACEXe0ZUUyJocR dkmoubUH2X3fp43GgyfbkPwYCTzFWj/bEjvzmKkKDT4gd4tcpziUJTySLizujeReFry+ p7THlh2kJO8NeQLoIionbIaKeWazdzP3F+NCzUiJTzQAUIQ2sF9ogudAAQxrFPkkX/cd X/krktsMb1kpyww7EVq7uXuzBMEZiX776fmT8y4uu5GZ7TVChXm9saHR4JxJ7awKnSGI AfWA==
MIME-Version: 1.0
X-Received: by 10.112.54.193 with SMTP id l1mr16501829lbp.58.1451189464770; Sat, 26 Dec 2015 20:11:04 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.33 with HTTP; Sat, 26 Dec 2015 20:11:04 -0800 (PST)
In-Reply-To: <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.com> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
Date: Sat, 26 Dec 2015 23:11:04 -0500
X-Google-Sender-Auth: 8vbSZM2kotgJ5CFJZ5Q3MmYuvU8
Message-ID: <CAMm+LwgHBzx0gR+kWqTYwbUH-qjPKV+qL-FViOSZiZwfX0O3Aw@mail.gmail.com>
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: John C Klensin <john-ietf@jck.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/ML8-OnUkxKLX2DLRqWbdCLYV5aU>
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 04:11:08 -0000
On Sat, Dec 26, 2015 at 10:11 PM, John C Klensin <john-ietf@jck.com> wrote: > > > --On Saturday, December 26, 2015 9:52 PM -0500 Phillip > Hallam-Baker <phill@hallambaker.com> wrote: > >>... >> One of the issues people don't seem to consider in these >> schemes is that merely reducing the number of trusted >> intermediaries from ~40 to one doesn't actually remove >> reliance on trusted third parties, it merely removes all >> choice in the matter. > > And even that equation tends to be complicated by the > observation that the trust relationship, as far as certification > of identity is concerned, is with the registrars (and, in some > cases, their agents and resellers) rather than with the > registries. At that point, the number of trusted intermediaries > gets back toward order 40 or 100, not one, unless the question > is "do you control this domain" rather than "are you who you say > you are". > > john >
- Using DNS system as a Global Root Certificate Aut… Alexey Eromenko
- Re: Using DNS system as a Global Root Certificate… Warren Kumari
- Re: Using DNS system as a Global Root Certificate… Alexey Eromenko
- Re: Registrant identity, was Using DNS system as … John Levine
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Viktor Dukhovni
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… Eliot Lear
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta