Re: Registrant identity, was Using DNS system as a Global Root Certificate Authority - possible ?
"John Levine" <johnl@taugh.com> Sun, 27 December 2015 20:21 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0071A21C0 for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 12:21:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.663
X-Spam-Level: **
X-Spam-Status: No, score=2.663 tagged_above=-999 required=5 tests=[BAYES_50=0.8, GB_FINANCIALPROBLEM=1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7R8RsRxur2X9 for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 12:21:30 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADE251A21BF for <ietf@ietf.org>; Sun, 27 Dec 2015 12:21:29 -0800 (PST)
Received: (qmail 62498 invoked from network); 27 Dec 2015 20:21:28 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 27 Dec 2015 20:21:28 -0000
Date: Sun, 27 Dec 2015 20:21:05 -0000
Message-ID: <20151227202105.47200.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: Registrant identity, was Using DNS system as a Global Root Certificate Authority - possible ?
In-Reply-To: <67A5A7EF-BDDA-4507-88F5-4021D685479E@frobbit.se>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/U8eR28j39dew952ZjrAc5k1ZiQk>
Cc: paf@frobbit.se
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 20:21:31 -0000
It seems like you're talking past each other here. >The registry do keep track of which ones of the registrars can make changes, so not every registrar >(i.e. intermediary) can become "trusted". That's certainly true, and auth codes make it fairly hard to move a domain from one registrar to another without inside help from whoever reads the registrant's e-mail. On the other hand, there are over 2100 registars in ICANN's list, and even after accounting for 300 that are Namebright and another 300 that are Netsol, and so forth, there's probably close to a thousand of them, some of which take security more seriously than others. There are certainly registrars who will accept names that are obvious phishes, there are registrars that can be socially engineered to reset accounts (I did that once, but it was for a virtuous reason), and so forth. Making life even more confusing, while most registries and registrars strictly limit registrations to anyone whose credit card isn't rejected, there are a few that make more or less credible attempts to validate that registrants are who they claim to be. The sTLDs like .aero, .travel, .coop and .jobs make some effort to verify that registrants are members of the relevant community, although the checks have gotten pretty perfunctory as the money failed to roll in. (I can tell you about .aero and .travel.) The .pro domain was supposed to be for licensed professional doctors, lawyers, accountants, and engineers, but a combination of financial problems and registrar gimmickry made the checks ever feebler until last month they gave up and now it's purely generic. The .coop domain checks that you're a co-op when you register, but never checks again. One time I noticed that the registrant for chicken.coop had sold out and wasn't a co-op any more. I told the .coop registry, and its head personally thanked me and asked me to tell her about any other misregistrations I noticed. Uh, OK. In the latest round, .ngo/.ong is making a reasonable attempt to verify that applicants really are NGOs and that the domain name is related to the organization name. I have talked to someone from Encirca who is working with .bank to do something similar. It's too early to find out whether they'll stick with it as their business models fail, but even if they do persist, there's no DANE version of a green bar certificate so it's not clear how much good it will really do. R's, John
- Using DNS system as a Global Root Certificate Aut… Alexey Eromenko
- Re: Using DNS system as a Global Root Certificate… Warren Kumari
- Re: Using DNS system as a Global Root Certificate… Alexey Eromenko
- Re: Registrant identity, was Using DNS system as … John Levine
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Viktor Dukhovni
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… Eliot Lear
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta