Discuss mailing list

[Amunak <amunak AT amunak.net>]

There could simply be a task group for handling the key, and ideally we'd strive to have similar measures as cacert for handling the root cert as cacert (http://www.cacert.org/policy/SecurityPolicy.html). We could perhaps also cooperate with cacert to have our intermediate certificates cross-signed by them which would help with trust of our certificates.

Ideally even access to the intermediate certificates (which would be always limited to issuing certs for single TLD) would be audited, but we could also just give it to the hands of TLD operators (provided they can be trusted and are willing to have proper security practices). But there could simply be an audited API to generate certificates for TLDs that the registration systems could use to issue certificates. Then there could also be a public list of issued certs which would help greatly with potential issues.

So I'm all for having a CA, it only makes sense, but there need to be good security measures and procedures set in place in order for it not to be prone to abuse. If someone mishandles the root cert, all trust is broken. Same with intermediate certs - if you don't even know what (fradulent) certs were issued you may as well throw the intermediary away and start over. Fixing issues (even stuff like malicious TLD/T2 operators) is comparatively easier than re-issuing potentially hundreds or thousands of certificates that people actually use.

Dne 05.01.2017 v 1:00 Jonah Aragon napsal(a):

I think spreading the public key digitally would be fine...

The issue I was referring to originally had nothing to do with distribution at all. I was more thinking about generation of the private key for the OpenNIC Root Certificate. Whoever has those conceivably has complete control over the Root, and I don't think that's a great idea.

For storage I was thinking the private key would be split among the Tier 1 operators in sections. No one person should continue to have the entire key. Since we would be using Intermediate CAs in my scenario, there would be little use for the private key to be used outside of the initial generation of those Intermediates and their eventual renewal, which would be a relatively rare occurrence.

I'm not sure what a better solution to key generation that would satisfy everybody would be though...

Jonah

On Jan 4, 2017 5:38 PM, "Famicoman" <famicoman AT gmail.com> wrote:

What are the perceived issues with spreading it digitally? 

I've seen organizations post their root cert for download and then have it signed with the PGP keys of several core members. Hopefully you can trust one of those members. Or, maybe use an official OpenNIC PGP key that is linked to the OpenNIC domain using keybase for verification.

On Jan 4, 2017 3:49 PM, "Hillebrand van de Groep" <hillebrand AT flippylosaurus.eu> wrote:

What might be useful is to have a few trusted people in specific geographic areas that will send out a copy of the root CA by mail on request, so that the root CA isn't spread digitally (which has it's issues)

Yes, I know that physical mail has its issues, but they are too insignificant in comparison to digital distribution.

If we will be using a system like this, I am willing to take the this role for the Netherlands on me.

On January 4, 2017 7:28:21 PM GMT+01:00, Jonah Aragon <jonaharagon AT gmail.com> wrote:

Hello all,

I feel there's a strong need for a Certificate Authority under OpenNIC control so we can validate domain ownership and offer HTTPS support for domain holders without the need for self-signed certificates. Ideally this certificate would be installed as a Trusted Root Certificate in operating systems by every user wishing to join the OpenNIC network, which doesn't seem like too much of a stretch seeing as we already get users to change DNS settings manually.

There's many obvious benefits to setting a system up. It would allow for secure communications between users and OpenNIC enabled servers, and provides a level of trust that the site they're viewing is legitimate, as certificates will only be given to the domain holders, more on that below. Because only the domain holder could possibly have the key, it would mitigate threats of a rogue Tier 2 server changing domain records, maliciously or not. 

I think the best way to go about this would be creating a OpenNIC Root CA and using it to sign Intermediate CAs to each TLD operator. Certificate issuance would fall on the TLD operator's responsibility, either by issuing along with registrations automatically or having a certificate request section in their various control panels, etc. A drawback to this would be the trust needed in TLD operators to only issue legitimate certificates, but we already put a level of trust in Tier 1 operators anyways as they essentially make up the root of our system, so it isn't much of a stretch. I still think this method would work best because there isn't any better person to vouch for a domain's legitimacy than the registrar itself, as opposed to a centralized certificate request system.

If we were to do this, we'd primarily need to think of a system we all trust to issue the Root CA itself, because allowing a single person to issue it and hold the keys would hand them a lot of power, require a lot of trust, and it wouldn't really fit with the decentralized transparent faith of OpenNIC. I'm not sure of a surefire method to solve that particular problem, so I'd love to hear suggestions...

I know some people are already working on a CA for the network, so we could definitely use their help or ideas. Basically I want to make a solution to this problem official and prominently featured to entire as many users on the network as possible are using it, both end-users and server owners.

I'd love to hear all your thoughts on how we can accomplish this.

Jonah

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org