Discuss mailing list

[Amunak <amunak AT amunak.net>]

While we can't "drop money" if trust is lost (mostly certificate leaked or cracked) we can provide authentication and security. Given how OpenNic registrars are centralize it shouldn't be hard to require them to offer people SSL certs. And since the registrar would issue the cert it could also exactly match the domain expiration and be offered in the same administration app, something that regular CAs can't do and which would be really nice for users - it would also mean they wouldn't have to authorize with the CA separately.

We can also use certificate extensions to limit the signing ability (at least for the intermediate CAs) to prevent potential MITM attacks by spoofing certs for other domain roots.

If I understand your blockchain solution correctly it would also add verifiability to the trust which also sounds like a good idea.

So yeah, I think that while all this would require some effort (both in buerocracy and actual technical implementation and such) it'd be great.

And then maybe later... Hopefully... we may even be able to push for this CA / the intermediates to be added as default to the trusted authorities list in browsers and OSes? Or cross-signed by someone trusted? That'd also be a nice long-term goal.

Amunak

On 20.11.2016 13:21, Stas wrote:

Hello!

On 20.11.2016 15:46, Amunak wrote:

They shouldn't really exist as the CA/Browser forum requirements for CAs state that the CA should verify the ownership of the domain(s) that the certificate is issued to. And since OpenNIC domains aren't recognized by them (and we could technically make up any TLD that ICANN later registers or even conflicting one right now) they cannot allow that.

We could (and probably should) roll our own CA for OpenNIC TLDs, perhaps with an intermediate for each TLD or something and then give out those certs (ideally together with the registrations of the domains). When someone goes on to configure their DNS to OpenNIC servers it shouldn't be much harder to also add a trusted CA to their certificate store.

It would however require a lot of buerocracy on our part (as in writing at least some guidelines and such).

Here is two problems.
1st, small: Lot of the buerocracy.
2nd, big: The trust to the this CA.

In the "big internet" each CA trusted because it is commercial company and it will drop really big moneys if trust benn lost.
In the OpenNIC community mech for the trus don't exists.

I known one solution: the blockchain.
FYI: OpenNIC used the domain zones from the blockchains Namecoin (.bit) and
Emercoin (.lib, .coin, ...). The emercoin blockchain also implements trust of the SSL PKI: someone may write the pair "name-certificate" into blockchain and it will stored here infinitely.
The technology for the client authentification already implemented in the emercoin. We (or someone other) may develop and inplement own tech for the server identification.
Some efforts required for integration EMC PKI to browsers, but any people may manual check the certificfate (compare fingerprint of the site's certificate with copy in the blockchain).

On 20.11.2016 11:36, yanosz wrote:

Hello folks,

short one: Are there any ways to get TLS / SSL certificates for
non-ICANN TLDs, suche as OpenNIC ones?
Is there any CA issuing these certificates?

-- 
Stas

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org