On Thursday, August 16, 2018 at 3:18:38 PM UTC-5, Wayne Thayer wrote: > What problem(s) are you trying to solve with this concept? If it's > misissuance as broadly defined, then I'm highly skeptical that Registry > Operators - the number of which is on the same order of magnitude as CAs > [1] - would perform better than existing CAs in this regard. You also need > to consider the fact that ICANN has little authority over ccTLDs.
One issue that would be solved in such a scheme as I've proposed is that only a single administrative hierarchy may issue certificates for a given TLD and further that that hierarchy is the same as that which has TLD level responsibility over domains within that TLD. Pedantic as it may be, there's virtually no such thing as a misissuance by a registry, if only because literally whatever they say about a domain at any given moment is "correct" and is the authoritative answer. A scheme such as I've proposed also eliminates all the other layers of failure which may occur that can yield undesirable issuances today: concerns over BGP hijacks of authoritative DNS server IP space are eliminated, concerns over authoritative DNS server compromise of other forms is eliminated, concern over compromise of a target web server is eliminated. In the scheme I propose, the registry is signing only upon orders from the registrar responsible for the given domain within the TLD and the registrar gives such orders only upon authenticated requests that are authenticated at least to the same level of assurance as would be required to alter the authoritative DNS delegations for the domain. (Consequently, that level of access today is certainly sufficient to achieve issuance from any CA that issues automatically upon validation against DNS records.) I concede that ICANN would have no means to impose this upon the CC TLDs, leaving a gap to be figured out. I recognize that this is a maverick idea, nearly completely divorced from the current WebPKI's structure. Having said that, I do think it aligns the capability to issue a certificate to the administrative structures which already determine the very definition of what is meant by a given dnsName. In addition, it reduces many diverse attack surface areas down to a single one (account takeover / infrastructure takeover of registrar/registry) that is already in the overall threat model. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
