IETF Logo Mail Archive

Re: Using DNS system as a Global Root Certificate Authority - possible ?

Warren Kumari <warren@kumari.net> Sat, 26 December 2015 20:29 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2DB21ACEAA for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 12:29:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pTaC3WLdr-Rb for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 12:29:16 -0800 (PST)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BB0F1ACEA5 for <ietf@ietf.org>; Sat, 26 Dec 2015 12:29:16 -0800 (PST)
Received: by mail-yk0-x234.google.com with SMTP id x67so74396968ykd.2 for <ietf@ietf.org>; Sat, 26 Dec 2015 12:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=sWUlPX7SqmB8UXucTMgsCOy47gy6bDwawpQBwXgF4HU=; b=Y1kvHhwifm13Cy/gXApFHrrfzVXjO3uowWZ/J8sSiH8Oh23/WUhJkB5q8rlSjHmHLf NVQg6TtK9I9rvdiHMmpVwmONM63uqCxY0ZYKwCqanj3xn62+cj8jtBY4vpZuHzXIK1Sq SH6no35erou2SkxQy+2Pgag6Y3z5bjBKPRG4BGruiA1lbgupbPRuL0eS/vPEh1mJIojF IsiCwLEVPkCNBWb+EBkdZnlkG4Vjg91CMJTSiFiIbsDtnktEl2XjopYC0Bi58b/pB1mX PWOt5kSHnLtpTZr5l+GRixKOKCN2cxf3SH6RS2emDx6JiSmSw/WYDsYY29nYTskWax5K WSTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=sWUlPX7SqmB8UXucTMgsCOy47gy6bDwawpQBwXgF4HU=; b=Pcx1k12vLi98C4sbBZ4ok8bSGQZhvn/jwkxG5VzSc+5qJDNTkNkHmtfDgImP2jcc4+ 0AisTu6QlOPuuPDfjVdmExeMq/EVgON9QXY/shntl3ab/CnJHmDHcXGXGj8QDA0VM/wX mKPftRQnSyU9g80PcbiWamWxUOpNdAyMc9lOf8iKMG6+FZO8yM80J37yuR+kZiDBgjxp FC5BnazbkVGRQ9nLFvIbsezSQH0AlEFGK7jxN7nvNDsQ7F2ih9oCPRUi60NTjWNpgtg1 z5Lse3LvXIlNS/PQEZg0se8CPNaedp75zVgX+dsUjuScYnZPSM9xw4e5boAS+kCnTp6g 541g==
X-Gm-Message-State: ALoCoQkGF/mrljtGeb/pYq8n5FjgoaekXybdBUZg55bTmv3k2ceRTOkeorPgi78C2UZY1yTBG/m2M+7iMAhm7klBTM+qS/lcXlypC4j7CfJC6NJzqzkz5j8=
X-Received: by 10.13.227.1 with SMTP id m1mr8597491ywe.249.1451161755576; Sat, 26 Dec 2015 12:29:15 -0800 (PST)
MIME-Version: 1.0
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com>
In-Reply-To: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Sat, 26 Dec 2015 20:29:05 +0000
Message-ID: <CAHw9_i+78nnrAZt647pjEUkwscQ5mN4vr=pX01GH6krxmMFNuQ@mail.gmail.com>
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
To: Alexey Eromenko <al4321@gmail.com>, ietf <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c07d0faf41a8b0527d2ecbe"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/kzL-g8JT66nxaQMjVh4mzmjgVzE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2015 20:29:17 -0000

This is very similar to what the DANE working group is working on -
https://datatracker.ietf.org/wg/dane/charter/

I'd suggest you start with RFC6394, and then RFC6698, followed by RFC7671.

W

On Sat, Dec 26, 2015, 3:23 PM Alexey Eromenko <al4321@gmail.com> wrote:

> Hi all,
>
> Assume DNS system added a new resource record (RR), which allowed to
> publish the public key for a particular FQDN.
>
> How secure or insecure that would be.
>
> Is there a way to *securely* retrieve such information from, for
> example, authoritative
> DNS server, without any middlebox (such as DNS proxy) mangling it ?
>
> And having TLD DNS servers as the top "Root Certificate Authorities".
>
> so X.509 SSL certificate chain could look like:
>
> - "."
> +- ".com."
> |--+ "company_abc.com."
> |-----+ "www.company_abc.com."
> |-----+ "mail.company_abc.com."
> |-----+ "ftps.company_abc.com."
> etc...
>
> I am not yet sure if this is possible or not, just loud thinking...
> In theory, if possible, this should simplify certifications and make
> it easier to start an HTTPS server, cutting Verisign and friends out
> of the loop.
>
> What do you think ?
> --
> -Alexey Eromenko "Technologov"
>
>

v2.23.0 | Report a Bug | By Email