undefined | Better HN

0 pointsschoen9y ago0 comments

> imagine a protocol where a CA has to ask the registry

Or maybe registries could directly act as CAs for their own TLDs (and no others). It would be an interesting discussion about how this would be better or worse than what we have now.

I imagine a lot of registries wouldn't want to pay for the infrastructure to do this, but maybe it should be regarded as a basic part of their role. Right now it would be very annoying because you could no longer get a cert for multiple names under different TLDs, at least if they were managed by different registries (so you couldn't get a single cert covering example.io, example.cc, and example.net, even if you controlled all three names). Maybe if SNI becomes more ubiquitous this limitation will seem less annoying in the future.

0 comments

3 comments · 1 top-level

iancarroll9y ago· 2 in thread

This idea is DANE with DNSSEC, and it is unlikely to be adopted. tqbf has a good blog post[0] about why it's probably not a good idea (disclosure: I agree).

[0] https://sockpuppet.org/blog/2015/01/15/against-dnssec/

schoenOP9y ago

That article starts off by saying that DNSSEC slightly improves the security of DV certs, but not sufficiently.

What I was suggesting above was having domain registrars or registries use a new protocol (not DNSSEC) specifically to authenticate domain registrants to CAs for improving the security of DV certs -- and in order to replace existing DV mechanisms. My thought is that registries and registrars together possess the ground truth about domain ownership in the DNS system, and so it would be helpful if they had a way to securely communicate that directly to CAs. I didn't mean to suggest that DNSSEC should be that way.

I don't think this would be vulnerable to any of Thomas Ptacek's particular criticisms of DNSSEC, unless the first section implies that he wanted to completely eliminate DV certs or stop trusting them as a general matter. I didn't read it that way. However, we might take the article to imply that DV certs, even if they could be guaranteed to match up perfectly with the DNS ground truth at all times, may never be enough as the main or only means of authenticating some entities for some purposes, which is also fair.

dane-pgp9y ago

And EasyDNS have a blog post[0] about why it actually is a good idea (disclosure: I agree).

[0] http://blog.easydns.org/2015/08/06/for-dnssec/

j / k navigate · click thread line to collapse