Re: Using DNS system as a Global Root Certificate Authority - possible ?
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 27 December 2015 06:08 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D641B2AA8 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 22:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjAO5B1hAgbB for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 22:08:36 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF1C71B2AA7 for <ietf@ietf.org>; Sat, 26 Dec 2015 22:08:35 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 551AA2843A5; Sun, 27 Dec 2015 06:08:34 +0000 (UTC)
Date: Sun, 27 Dec 2015 06:08:34 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
Message-ID: <20151227060834.GL18704@mournblade.imrryr.org>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.com> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/YTEzsmcSIEi_ngd2LXQtsW_fRbY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 06:08:37 -0000
On Sat, Dec 26, 2015 at 10:11:31PM -0500, John C Klensin wrote: > And even that equation tends to be complicated by the > observation that the trust relationship, as far as certification > of identity is concerned, is with the registrars (and, in some > cases, their agents and resellers) rather than with the > registries. At that point, the number of trusted intermediaries > gets back toward order 40 or 100, not one, unless the question > is "do you control this domain" rather than "are you who you say > you are". It hasn't been "are you who say you are" for quite some time, not the vast majority of certificates. EV certificates are rather rare with the exception of some of largest sites. Certainly the "Let's Encrypt" CA will not do anything resembling "are you who you say you are". Once the question does boils down to whether the party requesting the certificate controls the domain (rather than the "brand"), the only party with an authoritative answer to that question is the registrar on record for the domain. Provided the domain is registrar-locked, DNSSEC gets one about as much confidence as one can get in answer to this more modest question. The party who authorized the DS records via the registrar has administrative control over the domain's DNS and thus can delegate authority over any keys published at and below the zone apex. This is certainly not a solution to phishing and the like, but it can provide useful keying material for application protocols. -- Viktor.
- Using DNS system as a Global Root Certificate Aut… Alexey Eromenko
- Re: Using DNS system as a Global Root Certificate… Warren Kumari
- Re: Using DNS system as a Global Root Certificate… Alexey Eromenko
- Re: Registrant identity, was Using DNS system as … John Levine
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Phillip Hallam-Baker
- Re: Using DNS system as a Global Root Certificate… Viktor Dukhovni
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… Eliot Lear
- Re: Using DNS system as a Global Root Certificate… Patrik Fältström
- Re: Using DNS system as a Global Root Certificate… John C Klensin
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta
- Re: Using DNS system as a Global Root Certificate… Masataka Ohta