W dniu 03.01.2018 o 17:08, Russ Housley pisze: > Mateusz: > > How do you see IANA controlling which parties get certificates for the > access_administratively_disabled.net domain?
IANA is just an example, there could be some other provider controlling the access_administratively_disabled.net domain - possibly even OpenDNS. Subdomains [1] would be given out just like EV certificates are today - only proof of identity (and of payment) would be required. > > Russ > > P.S. If I recall RFC 1034 and 1035 correctly, domain name labels may contain > only letters, digits, and hyphen. Underscore is not allowed. Yup, I also thought so. access_administratively_disabled.net is only a placeholder, the final domain name would be different. Greetings, Mateusz [1] For a slight modification of the proposal, see https://www.ietf.org/mail-archive/web/tls/current/msg25226.html > >> On Jan 3, 2018, at 7:48 AM, Mateusz Jończyk <[email protected]> wrote: >> >> Hello, >> Based on Your feedback (for which I am grateful) I have designed a new >> version >> of the access_administratively_disabled mechanism. >> >> 1. One new AlertDescription value should be specified: >> access_administratively_disabled. >> >> 2. The information why the webpage is blocked is specified at the URL >> https://access_administratively_disabled.net?d=${domain_name} as a simple >> string. >> >> 3. Certificates for access_administratively_disabled.net are assigned in a >> non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a >> certificate for access_administratively_disabled.net provided that their >> identity is validated (i.e. in an Extended-Validation way). The list of >> entities >> that received certificates for this domain would be made public and managed >> by >> IANA. This way the risk of phishing would be eliminated. >> >> 4. Any entity that is blocking some websites would redirect traffic for >> access_administratively_disabled.net to their own servers. >> >> 5. After getting an access_administratively_disabled warning a browser would >> open https://access_admininistratively_disabled.net?d=${domain_name} , >> validate >> its certificate and display to the user information: what get blocked, by >> whom >> and why. >> >> 6. If https://access_administratively_disabled.net would not have a valid >> certificate, the browser would only display that the website is being >> blocked, >> without giving any reason. >> >> 7. IANA or someone else would provide a default >> https://access_administratively_disabled.net service for the public internet. >> >> This mechanism would provide blocking transparency without affecting >> security. >> >> Greetings, >> Mateusz Jończyk >> >> _______________________________________________ >> TLS mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
