IETF Logo Mail Archive

Re: Using DNS system as a Global Root Certificate Authority - possible ?

"Patrik Fältström " <paf@frobbit.se> Sun, 27 December 2015 13:42 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10A41A03F9 for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 05:42:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dMHBnAaq4S3 for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 05:42:12 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959E01A03ED for <ietf@ietf.org>; Sun, 27 Dec 2015 05:42:12 -0800 (PST)
Received: from [192.168.1.118] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id C96C31FD2E; Sun, 27 Dec 2015 14:42:10 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: Eliot Lear <lear@cisco.com>
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
Date: Sun, 27 Dec 2015 14:42:10 +0100
Message-ID: <67A5A7EF-BDDA-4507-88F5-4021D685479E@frobbit.se>
In-Reply-To: <567FDBD1.4010703@cisco.com>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.c om> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com> <23F80B32-B026-4122-8EFD-52EA70A9D5B9@frobbit.se> <567FDBD1.4010703@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_8E03EF6D-B6C9-4527-A13A-5510F38D58BB_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/Vq7hPyZJNwN3i4K4Zi9wvacYua0>
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 13:42:14 -0000

On 27 Dec 2015, at 13:38, Eliot Lear wrote:

> One would like to believe that name constraints as specified by RFC 5280 could be useful, and yet experience seems to show otherwise.  Perhaps all is not lost.

I do not have much to say part from the interaction I already have had with CA/B Forum[1], and what SSAC view on the difference between DNS and traditional cert structure is[2].

My only point was that it is not at all the case that all registrars can make changes to any subdomain of a domain managed by a registry, which was what I read in what John wrote:

> At that point, the number of trusted intermediaries gets back toward order 40 or 100, not one, unless the question is "do you control this domain" rather than "are you who you say you are".

The registry do keep track of which ones of the registrars can make changes, so not every registrar (i.e. intermediary) can become "trusted".

If I misunderstood what he wrote, my apologies.

   Patrik

[1] SAC-057: https://www.icann.org/en/groups/ssac/documents/sac-057-en.pdf
[2] SAC-075: https://www.icann.org/en/groups/ssac/documents/sac-075-en.pdf

v2.23.0 | Report a Bug | By Email