Discuss mailing list

[Hillebrand van de Groep <hillebrand AT flippylosaurus.eu>]

What might be useful is to have a few trusted people in specific geographic areas that will send out a copy of the root CA by mail on request, so that the root CA isn't spread digitally (which has it's issues)

Yes, I know that physical mail has its issues, but they are too insignificant in comparison to digital distribution. 

If we will be using a system like this, I am willing to take the this role for the Netherlands on me.

On January 4, 2017 7:28:21 PM GMT+01:00, Jonah Aragon <jonaharagon AT gmail.com> wrote:

Hello all,

I feel there's a strong need for a Certificate Authority under OpenNIC control so we can validate domain ownership and offer HTTPS support for domain holders without the need for self-signed certificates. Ideally this certificate would be installed as a Trusted Root Certificate in operating systems by every user wishing to join the OpenNIC network, which doesn't seem like too much of a stretch seeing as we already get users to change DNS settings manually.

There's many obvious benefits to setting a system up. It would allow for secure communications between users and OpenNIC enabled servers, and provides a level of trust that the site they're viewing is legitimate, as certificates will only be given to the domain holders, more on that below. Because only the domain holder could possibly have the key, it would mitigate threats of a rogue Tier 2 server changing domain records, maliciously or not. 

I think the best way to go about this would be creating a OpenNIC Root CA and using it to sign Intermediate CAs to each TLD operator. Certificate issuance would fall on the TLD operator's responsibility, either by issuing along with registrations automatically or having a certificate request section in their various control panels, etc. A drawback to this would be the trust needed in TLD operators to only issue legitimate certificates, but we already put a level of trust in Tier 1 operators anyways as they essentially make up the root of our system, so it isn't much of a stretch. I still think this method would work best because there isn't any better person to vouch for a domain's legitimacy than the registrar itself, as opposed to a centralized certificate request system.

If we were to do this, we'd primarily need to think of a system we all trust to issue the Root CA itself, because allowing a single person to issue it and hold the keys would hand them a lot of power, require a lot of trust, and it wouldn't really fit with the decentralized transparent faith of OpenNIC. I'm not sure of a surefire method to solve that particular problem, so I'd love to hear suggestions...

I know some people are already working on a CA for the network, so we could definitely use their help or ideas. Basically I want to make a solution to this problem official and prominently featured to entire as many users on the network as possible are using it, both end-users and server owners.

I'd love to hear all your thoughts on how we can accomplish this.

Jonah

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.