undefined | Better HN

0 points0x010y ago0 comments

If the registrar held the job of being a CA, then at least there wouldn't be a spoofable link between the CA and the domain owner - the registrar already has your account information and proof of ownership, 100% verified, when your domain is held with them...

0 comments

nailer10y ago

Sure, but registrars would need to start doing a lot better job of checking the identity of people applying for domains, otherwise we'd just end up with domain validated certificates all over again.

As the grandparent post notes, all CAs completely automate domian validation at present.

0x0OP10y ago

My point is that regular domain validated CA should be the sole job of registrars. It would even prevent parallel certs being fraudulently issued - a domain can only be registered at one registrar at one time.

Sure, you could have the other CAs still offer EV (real-world identity) validation as a value-add.

But it's pretty silly that, currently, you have to pay a third party (today's CAs) to validate something that the registrar already knows for sure.

kej10y ago

The other side of that argument is that if your registrar is also your CA, they have the ability to give bogus SSL certs to an evil server and the ability to direct your domain to that evil server.

1 more reply

j / k navigate · click thread line to collapse