On Fri, Jun 28, 2013 at 8:00 AM, Phillip Hallam-Baker <[email protected]>wrote:
> CAA faced the problem of identifying a CA. > > During the evolution of the draft we went through pretty much every scheme > mentioned in this thread. In the end we decided to go with a domain name > that is asserted for that purpose by the CA. So symantec.com / comodo.com/ > etc. > Makes sense. How do CAs assert the domain name they'd like to be referenced by? Are these domain names something that could be tracked by the CAB Forum, browser root stores, or some other party? HPKP still needs to map the declared domain name to a set of keys. Perhaps CAs could maintain a list at a "well-known" URI derived from the domain name? https://comodo.com/.well-known/hpkp-keys.json Browser vendors could scan this list periodically and keep their browsers in sync with the latest keys from the major CAs. CAs would make sure to publish new keys in advance of issuing certs under a new root. If a browser encounters an unknown domain name, it could contact the URI itself, so this doesn't disenfanchise private CAs. Anyways, I rather like this. I think it's a much easier route to CA pinning than expecting websites to maintain key lists themselves. Others? Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
