On Friday, August 17, 2018 at 2:01:55 AM UTC-5, Peter Gutmann wrote: > That was actually debated by one country, that whenever anyone bought a domain > they'd automatically get a certificate for it included. Makes perfect sense, > owning the domain is a pretty good proof of ownership of the domain for > certificate purposes. It eventually sank under the cost and complexity of > registrars being allowed to operate CAs that were trusted by browsers [0].
That's very interesting. I would be curious to know the timing of this. Was this before or after massive deployment of DNSSEC by the registries? Also, I wish to clarify one tiny point again: I submit that only the Registries would be operating CAs and performing signature operations. Registrars would merely interface with the registries. This is an important and noteworthy distinction as there are far fewer Registries than Registrars (and additionally the burdens and complexities of operating as a Registry are significantly greater than the challenges of running a Registrar). As to the questions of the complexity of gaining trust by the browsers, I assume this question arose because the discussion centered around trying to fit such a scheme to the current WebPKI and its assumptions. I'm inclined to believe that if the browsers and the Registries and/or ICANN on their behalf wanted to create a secure and trustable mechanism that it could happen. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy