what I understand in this reply is the concern about the validity of SSL certificates handed out by CA's. I acknowledge that concern, that I share with you.
I am however concerned with the suggestion to cover "it" with all DNS means ! Because I know for sure that registering a domain can be and is quite anonymous as well. For the registrars "selling names under a top-level-domain", this is only a low cost product, sometimes given away for free (in return for webhosting), with very little control of the identity of the registrant. And once there is delegation, the registrant could then generate self-signed ceriticates, publish TLSA record with type 3 : "this self-signed certicate is OK, don't alert the user". Hence the original subject : "produce one's own identity card". When I first read the draft, I though this was about "informing the user which CA was used for my official certificate". So, if a trusted CA is hacked and gives out an otherwise valid certifate for my domain, but to an organisation which is not "me", I can still inform my visitors which CA *I* chose for my real certicate. But that seems to be the CAA RR, recently published ... Kind regards, Marc (without trailing 'o' ;-) On Thu, Jan 31, 2013 at 8:13 PM, Paul Wouters <[email protected]> wrote: > On Thu, 31 Jan 2013, Marc Lampo wrote: > >> how can the *parent* domain provide the identity ? > > > He who controls the spice, controls the universe! Oh wait, I mean to say > the parent can already take control of all of its children, so yes in > the DNS world, the "ID card" analogy does not quite work. (In the X509 > world, the ID card analogy compares perhaps to US drivers licenses, each > state looks different so no one can really verify the authenticity > anymore) > > So, parent DNS controls child DNS. Child DNS controls where it points > the webserver at. So no new "vulnerabilities" are introduced by putting > trust in selfsigned certs anchored to DNS. > > >> The TLSA record is content of the domain (not the parent) is it ? >> I know that, for DNSSEC, the parent signs the domains public key >> information (DS), >> but that is purely DNSSEC. >> It does not contribute to the identity of the domain holder. >> Or what am I missing ? > > > DNS does not provide "identity" information. But "Domain Validated" (DV) > certificates don't either. Anyone controlling example.com acn get a DV > cert issued by the CABforum members without any identity check. > > If you are talking about EVcerts, apparently CABforum people do more > checks before handing this out, allegedly doing identity validation, > so I would need to provide some Example Inc. paperwork before they > should give me an EV cert. This part cannot be replaced with TLSA > records, although TLSA records can contradict (rogue) EV certs. > > Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
