Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Need for a OpenNIC TLD CA

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Need for a OpenNIC TLD CA


Chronological Thread 
  • From: Jonah Aragon <jonaharagon AT gmail.com>
  • To: discuss <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] Need for a OpenNIC TLD CA
  • Date: Wed, 4 Jan 2017 18:00:54 -0600

I think spreading the public key digitally would be fine...

The issue I was referring to originally had nothing to do with distribution at all. I was more thinking about generation of the private key for the OpenNIC Root Certificate. Whoever has those conceivably has complete control over the Root, and I don't think that's a great idea.

For storage I was thinking the private key would be split among the Tier 1 operators in sections. No one person should continue to have the entire key. Since we would be using Intermediate CAs in my scenario, there would be little use for the private key to be used outside of the initial generation of those Intermediates and their eventual renewal, which would be a relatively rare occurrence.

I'm not sure what a better solution to key generation that would satisfy everybody would be though...

Jonah

On Jan 4, 2017 5:38 PM, "Famicoman" <famicoman AT gmail.com> wrote:
What are the perceived issues with spreading it digitally? 

I've seen organizations post their root cert for download and then have it signed with the PGP keys of several core members. Hopefully you can trust one of those members. Or, maybe use an official OpenNIC PGP key that is linked to the OpenNIC domain using keybase for verification.

On Jan 4, 2017 3:49 PM, "Hillebrand van de Groep" <hillebrand AT flippylosaurus.eu> wrote:
What might be useful is to have a few trusted people in specific geographic areas that will send out a copy of the root CA by mail on request, so that the root CA isn't spread digitally (which has it's issues)

Yes, I know that physical mail has its issues, but they are too insignificant in comparison to digital distribution.

If we will be using a system like this, I am willing to take the this role for the Netherlands on me.

On January 4, 2017 7:28:21 PM GMT+01:00, Jonah Aragon <jonaharagon AT gmail.com> wrote:
Hello all,

I feel there's a strong need for a Certificate Authority under OpenNIC control so we can validate domain ownership and offer HTTPS support for domain holders without the need for self-signed certificates. Ideally this certificate would be installed as a Trusted Root Certificate in operating systems by every user wishing to join the OpenNIC network, which doesn't seem like too much of a stretch seeing as we already get users to change DNS settings manually.

There's many obvious benefits to setting a system up. It would allow for secure communications between users and OpenNIC enabled servers, and provides a level of trust that the site they're viewing is legitimate, as certificates will only be given to the domain holders, more on that below. Because only the domain holder could possibly have the key, it would mitigate threats of a rogue Tier 2 server changing domain records, maliciously or not. 

I think the best way to go about this would be creating a OpenNIC Root CA and using it to sign Intermediate CAs to each TLD operator. Certificate issuance would fall on the TLD operator's responsibility, either by issuing along with registrations automatically or having a certificate request section in their various control panels, etc. A drawback to this would be the trust needed in TLD operators to only issue legitimate certificates, but we already put a level of trust in Tier 1 operators anyways as they essentially make up the root of our system, so it isn't much of a stretch. I still think this method would work best because there isn't any better person to vouch for a domain's legitimacy than the registrar itself, as opposed to a centralized certificate request system.

If we were to do this, we'd primarily need to think of a system we all trust to issue the Root CA itself, because allowing a single person to issue it and hold the keys would hand them a lot of power, require a lot of trust, and it wouldn't really fit with the decentralized transparent faith of OpenNIC. I'm not sure of a surefire method to solve that particular problem, so I'd love to hear suggestions...

I know some people are already working on a CA for the network, so we could definitely use their help or ideas. Basically I want to make a solution to this problem official and prominently featured to entire as many users on the network as possible are using it, both end-users and server owners.

I'd love to hear all your thoughts on how we can accomplish this.

Jonah

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page