IETF Logo Mail Archive

Using DNS system as a Global Root Certificate Authority - possible ?

Alexey Eromenko <al4321@gmail.com> Sat, 26 December 2015 20:23 UTC

Return-Path: <al4321@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 611FB1ACEA2 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 12:23:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.95
X-Spam-Level:
X-Spam-Status: No, score=0.95 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hw3QtXslTYCQ for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 12:23:00 -0800 (PST)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EDB51ACE8D for <ietf@ietf.org>; Sat, 26 Dec 2015 12:23:00 -0800 (PST)
Received: by mail-ig0-x231.google.com with SMTP id mv3so103152091igc.0 for <ietf@ietf.org>; Sat, 26 Dec 2015 12:23:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=kaVNN3ZAz+IjcTw8GVedmflq5xLDvqbjoQ7XYu1HFKI=; b=HcMVTAXixFTCpEiVK7gNN7LkKOIxWMEufwCH14ptb6s5FO6667oZZRRzzlIDmH3s93 atvRA+rX0bvKvZRIjiAMrTDwaNbtWiLzAc/XxCBAeeVrIBKk2mK5aR64sYUVpKP3I/cT dxQPq4VfdszgKujGLICBUleSCiS+kzVDXdJx3Xg7fBso5xGNqOnUEPyC0WXXkoM4V59T XiUm+koCUMWEbVxtUShg+4Aqc71VroWjWk0T3aMpkYAX36D1bn0bGBfP2ZVMXEEHI1QO DNR/rzXHmgomVWs/8/ODmnuxTOa9Thvonpz6C4Uxujzd/V7VT9vIJb/QHUq+6L9u6VW4 tc0w==
X-Received: by 10.50.79.196 with SMTP id l4mr47828393igx.77.1451161379844; Sat, 26 Dec 2015 12:22:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.136.194 with HTTP; Sat, 26 Dec 2015 12:22:40 -0800 (PST)
From: Alexey Eromenko <al4321@gmail.com>
Date: Sat, 26 Dec 2015 22:22:40 +0200
Message-ID: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com>
Subject: Using DNS system as a Global Root Certificate Authority - possible ?
To: ietf <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/u-OJ1DlRurlNnsKqjuK1LjhvdtE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2015 20:23:01 -0000

Hi all,

Assume DNS system added a new resource record (RR), which allowed to
publish the public key for a particular FQDN.

How secure or insecure that would be.

Is there a way to *securely* retrieve such information from, for
example, authoritative
DNS server, without any middlebox (such as DNS proxy) mangling it ?

And having TLD DNS servers as the top "Root Certificate Authorities".

so X.509 SSL certificate chain could look like:

- "."
+- ".com."
|--+ "company_abc.com."
|-----+ "www.company_abc.com."
|-----+ "mail.company_abc.com."
|-----+ "ftps.company_abc.com."
etc...

I am not yet sure if this is possible or not, just loud thinking...
In theory, if possible, this should simplify certifications and make
it easier to start an HTTPS server, cutting Verisign and friends out
of the loop.

What do you think ?
-- 
-Alexey Eromenko "Technologov"

v2.23.0 | Report a Bug | By Email