discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Stas <stas.grumbler AT gmail.com>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs
- Date: Sun, 20 Nov 2016 17:21:45 +0500
- Archived-at: <https://lists.opennicproject.org/sympa/arcsearch_id/discuss/2016-11/58319559.4080909%40gmail.com>
- List-archive: <https://lists.opennicproject.org/sympa/arc/discuss>
- List-id: <discuss.lists.opennicproject.org>
|
Hello! On 20.11.2016 15:46, Amunak wrote:
They shouldn't really exist as the CA/Browser forum
requirements for CAs state that the CA should verify the
ownership of the domain(s) that the certificate is issued to.
And since OpenNIC domains aren't recognized by them (and we
could technically make up any TLD that ICANN later registers or
even conflicting one right now) they cannot allow that. We could (and probably should) roll our own CA for OpenNIC TLDs, perhaps with an intermediate for each TLD or something and then give out those certs (ideally together with the registrations of the domains). When someone goes on to configure their DNS to OpenNIC servers it shouldn't be much harder to also add a trusted CA to their certificate store. It would however require a lot of buerocracy on our part (as in writing at least some guidelines and such). Here is two problems. 1st, small: Lot of the buerocracy. 2nd, big: The trust to the this CA. In the "big internet" each CA trusted because it is commercial company and it will drop really big moneys if trust benn lost. In the OpenNIC community mech for the trus don't exists. I known one solution: the blockchain. FYI: OpenNIC used the domain zones from the blockchains Namecoin (.bit) and Emercoin (.lib, .coin, ...). The emercoin blockchain also implements trust of the SSL PKI: someone may write the pair "name-certificate" into blockchain and it will stored here infinitely. The technology for the client authentification already implemented in the emercoin. We (or someone other) may develop and inplement own tech for the server identification. Some efforts required for integration EMC PKI to browsers, but any people may manual check the certificfate (compare fingerprint of the site's certificate with copy in the blockchain). On 20.11.2016 11:36, yanosz wrote:
Hello folks, short one: Are there any ways to get TLS / SSL certificates for non-ICANN TLDs, suche as OpenNIC ones? Is there any CA issuing these certificates? -- Stas |
--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
- [opennic-discuss] SSL-certificates for OpenNIC based TLDs, yanosz, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Amunak, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Stas, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Amunak, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Jonah Aragon, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, kevin, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, yanosz, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, kevin, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Stas, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Jonah Aragon, 11/20/2016
- Re: [opennic-discuss] SSL-certificates for OpenNIC based TLDs, Amunak, 11/20/2016
Archive powered by MHonArc 2.6.19.