discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Amunak <amunak AT amunak.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Need for a OpenNIC TLD CA
- Date: Thu, 5 Jan 2017 01:35:25 +0100
There could simply be a task group for handling the key, and ideally we'd strive to have similar measures as cacert for handling the root cert as cacert (http://www.cacert.org/policy/SecurityPolicy.html). We could perhaps also cooperate with cacert to have our intermediate certificates cross-signed by them which would help with trust of our certificates. Ideally even access to the intermediate certificates (which would be always limited to issuing certs for single TLD) would be audited, but we could also just give it to the hands of TLD operators (provided they can be trusted and are willing to have proper security practices). But there could simply be an audited API to generate certificates for TLDs that the registration systems could use to issue certificates. Then there could also be a public list of issued certs which would help greatly with potential issues. So I'm all for having a CA, it only makes sense, but there need
to be good security measures and procedures set in place in order
for it not to be prone to abuse. If someone mishandles the root
cert, all trust is broken. Same with intermediate certs - if you
don't even know what (fradulent) certs were issued you may as well
throw the intermediary away and start over. Fixing issues (even
stuff like malicious TLD/T2 operators) is comparatively easier
than re-issuing potentially hundreds or thousands of certificates
that people actually use. Dne 05.01.2017 v 1:00 Jonah Aragon
napsal(a):
I think spreading the public key digitally would
be fine...
The issue I was referring to originally had
nothing to do with distribution at all. I was more thinking
about generation of the private key for the OpenNIC Root
Certificate. Whoever has those conceivably has complete
control over the Root, and I don't think that's a great idea.
For storage I was thinking the private key would
be split among the Tier 1 operators in sections. No one person
should continue to have the entire key. Since we would be
using Intermediate CAs in my scenario, there would be little
use for the private key to be used outside of the initial
generation of those Intermediates and their eventual renewal,
which would be a relatively rare occurrence.
I'm not sure what a better solution to key
generation that would satisfy everybody would be though...
Jonah
On Jan 4, 2017 5:38 PM, "Famicoman"
<famicoman AT gmail.com>
wrote:
What are the perceived issues with spreading
it digitally?
I've seen organizations post their root
cert for download and then have it signed with the PGP
keys of several core members. Hopefully you can trust
one of those members. Or, maybe use an official OpenNIC
PGP key that is linked to the OpenNIC domain using
keybase for verification.
On Jan 4, 2017 3:49 PM,
"Hillebrand van de Groep" <hillebrand AT flippylosaurus.eu>
wrote:
What might be useful is to have a few trusted
people in specific geographic areas that will send
out a copy of the root CA by mail on request, so
that the root CA isn't spread digitally (which has
it's issues)
Yes, I know that physical mail has its issues, but they are too insignificant in comparison to digital distribution. If we will be using a system like this, I am willing to take the this role for the Netherlands on me. On January 4, 2017 7:28:21
PM GMT+01:00, Jonah Aragon <jonaharagon AT gmail.com>
wrote:
Hello all,
I feel there's a strong need
for a Certificate Authority under OpenNIC
control so we can validate domain ownership
and offer HTTPS support for domain holders
without the need for self-signed
certificates. Ideally this certificate would
be installed as a Trusted Root Certificate
in operating systems by every user wishing
to join the OpenNIC network, which doesn't
seem like too much of a stretch seeing as we
already get users to change DNS settings
manually.
There's many obvious benefits
to setting a system up. It would allow for
secure communications between users and
OpenNIC enabled servers, and provides a
level of trust that the site they're viewing
is legitimate, as certificates will only be
given to the domain holders, more on that
below. Because only the domain holder could
possibly have the key, it would mitigate
threats of a rogue Tier 2 server changing
domain records, maliciously or not.
I think the best way to go
about this would be creating a OpenNIC Root
CA and using it to sign Intermediate CAs to
each TLD operator. Certificate issuance
would fall on the TLD operator's
responsibility, either by issuing along with
registrations automatically or having a
certificate request section in their various
control panels, etc. A drawback to this
would be the trust needed in TLD operators
to only issue legitimate certificates, but
we already put a level of trust in Tier 1
operators anyways as they essentially make
up the root of our system, so it isn't much
of a stretch. I still think this method
would work best because there isn't any
better person to vouch for a domain's
legitimacy than the registrar itself, as
opposed to a centralized certificate request
system.
If we were to do this, we'd
primarily need to think of a system we all
trust to issue the Root CA itself, because
allowing a single person to issue it and
hold the keys would hand them a lot of
power, require a lot of trust, and it
wouldn't really fit with the decentralized
transparent faith of OpenNIC. I'm not sure
of a surefire method to solve that
particular problem, so I'd love to hear
suggestions...
I know some people are already
working on a CA for the network, so we could
definitely use their help or ideas.
Basically I want to make a solution to this
problem official and prominently featured to
entire as many users on the network as
possible are using it, both end-users and
server owners.
I'd love to hear all your
thoughts on how we can accomplish this.
Jonah
-- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org |
- [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/04/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Hillebrand van de Groep, 01/04/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Famicoman, 01/04/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Amunak, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, JC, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Famicoman, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, JC, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Amunak, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Famicoman, 01/04/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, spaesani, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re[2]: [opennic-discuss] Need for a OpenNIC TLD CA, spaesani, 01/06/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jeff Taylor, 01/06/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/06/2017
- Message not available
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Nadia Larsen, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Nadia Larsen, 01/07/2017
- Message not available
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/06/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Hillebrand van de Groep, 01/04/2017
Archive powered by MHonArc 2.6.19.