Indeed, thanks for pointing out, CAA is meant to be used at certificate issue time; an oversight of mine.
For the TLSA record, upon rereading that RFC, I think the values 0 and 1 for the certificate usage field are OK. Together with an official CA, the domain administrator can, via another way (DNS-DNSSEC) inform the users of the CA that has been chosen for the domain. There are a number of cases were this does not contribute to security (malicious user who obtained a certificate and publishes corresponding TSLA RR); but good/genuine users can inform the users of the CA that has been chosen. If there is support at client side, they now have the capability to detect a "weird" certificate : apparently correct, by trusted CA, but not chosen by the domain (cfr Diginotar case) However values 2 and 3 introduce a way to use DNS only. The certificate is still used - because is is simply a built-in and widely supported way to encrypt - but the "who has created the certificate" is irrelevant, since, via the TLSA record with given valuers, the domain admin can simply OK whatever certificate generated locally. This shift (in who provides identity) from "only trusted CA" to "only via DNS info" is, in my opinion, a bad idea. Probably, as Paul Wouters contributed in this conversation, it is possible to obtain genuine certificates from not so good CA's, but a complete shift to DNS only is no improvement. As it is possible to register domain names with hardly any identity verification as well. Kind regards, Marc On Fri, Feb 1, 2013 at 6:41 PM, Paul Wouters <[email protected]> wrote: > On Fri, 1 Feb 2013, Marc Lampo wrote: > >> I am however concerned with the suggestion to cover "it" with all DNS >> means ! >> Because I know for sure that registering a domain can be and is quite >> anonymous as well. > > > and getting a DV cert issued from a random SSL provider from that point > onwards is just as anonymous. It does not even require money if you just > want it for a few months. > > So yes, the collective "we" have moved from "click the selfsigned cert > warning away" to "be aware of frauds when the URL bar isn't green". > > Are you suggesting we bring the popups back for non-green URLs in > browsers? If not, what _do_ you suggest we do? > > Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
