Mateusz: How do you see IANA controlling which parties get certificates for the access_administratively_disabled.net domain?
Russ P.S. If I recall RFC 1034 and 1035 correctly, domain name labels may contain only letters, digits, and hyphen. Underscore is not allowed. > On Jan 3, 2018, at 7:48 AM, Mateusz Jończyk <[email protected]> wrote: > > Hello, > Based on Your feedback (for which I am grateful) I have designed a new version > of the access_administratively_disabled mechanism. > > 1. One new AlertDescription value should be specified: > access_administratively_disabled. > > 2. The information why the webpage is blocked is specified at the URL > https://access_administratively_disabled.net?d=${domain_name} as a simple > string. > > 3. Certificates for access_administratively_disabled.net are assigned in a > non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a > certificate for access_administratively_disabled.net provided that their > identity is validated (i.e. in an Extended-Validation way). The list of > entities > that received certificates for this domain would be made public and managed by > IANA. This way the risk of phishing would be eliminated. > > 4. Any entity that is blocking some websites would redirect traffic for > access_administratively_disabled.net to their own servers. > > 5. After getting an access_administratively_disabled warning a browser would > open https://access_admininistratively_disabled.net?d=${domain_name} , > validate > its certificate and display to the user information: what get blocked, by whom > and why. > > 6. If https://access_administratively_disabled.net would not have a valid > certificate, the browser would only display that the website is being blocked, > without giving any reason. > > 7. IANA or someone else would provide a default > https://access_administratively_disabled.net service for the public internet. > > This mechanism would provide blocking transparency without affecting security. > > Greetings, > Mateusz Jończyk > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
