CAA does not require a central registry. But it does require CAs to decide what DNS name(s) they are going to use.
For key pinning to work the Web Browsers are going to have to track the correspondence of name to roots in any case. So it basically becomes a consistency thing. If it makes sense to do that centrally, it makes sense for CABForum to be the venue. But it is an 'emergent' process. On Fri, Jun 28, 2013 at 4:32 PM, Trevor Perrin <[email protected]> wrote: > > On Fri, Jun 28, 2013 at 8:00 AM, Phillip Hallam-Baker <[email protected]>wrote: > >> CAA faced the problem of identifying a CA. >> >> During the evolution of the draft we went through pretty much every >> scheme mentioned in this thread. In the end we decided to go with a domain >> name that is asserted for that purpose by the CA. So symantec.com / >> comodo.com / etc. >> > > Makes sense. > > How do CAs assert the domain name they'd like to be referenced by? Are > these domain names something that could be tracked by the CAB Forum, > browser root stores, or some other party? > > > HPKP still needs to map the declared domain name to a set of keys. > Perhaps CAs could maintain a list at a "well-known" URI derived from the > domain name? > > https://comodo.com/.well-known/hpkp-keys.json > > Browser vendors could scan this list periodically and keep their browsers > in sync with the latest keys from the major CAs. CAs would make sure to > publish new keys in advance of issuing certs under a new root. > > If a browser encounters an unknown domain name, it could contact the URI > itself, so this doesn't disenfanchise private CAs. > > Anyways, I rather like this. I think it's a much easier route to CA > pinning than expecting websites to maintain key lists themselves. > > Others? > > > Trevor > > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
