On Thursday, August 16, 2018 at 3:34:01 PM UTC-5, Paul Wouters wrote: > Why would people not in the business of being a CA do a better job than > those currently in the CA business?
I certainly do not assert that there would be no learning curve. However, these same registries for the generic TLDs are already implementing cryptographic signatures and delegations at scale for DNSSEC, including signatures over the delegation records to authoritative DNS as well as cryptographic assurances that DNSSEC is not enabled for a given domain, many of the operational concerns of a CA are already being undertaken today as part of the job routinely performed by the registries. > If you want a radical change that makes it simpler, start doing TLSA in > DNSSEC and skip the middle man that issues certs based on DNS records. The trouble that I see with that scheme is the typical location of DNSSEC validation. DNSSEC + a third party CA witnessing point-in-time correctness of the validation challenge as DNSSEC signed allows for DNSSEC to provide some improvement to issuance-time DNS validation. However, as soon as you take a third party CA out of the picture, you no longer have a "witness" with controlled environment (independent network vantage point, proper ensuring of DNSSEC signature validity, etc). Desktop clients today don't generally perform DNSSEC validation themselves, relying upon the resolver that they reference to perform that task. This opens a door for a man in the middle between the desktop and the recursive resolver. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy