Discuss mailing list

[Amunak <amunak AT amunak.net>]

While I'd say it is, there should still be auditable (and ideally public) list of operators' actions regarding signing certificates and such - I would not give the private keys to intermediate certs to TLD operators - I would only allow them to use some API for signing (which they could use in their application for issuing certs for verified domain owners). This also helps for cases when TLD operator changes and such and greatly mitigates risks with bad private key handling.

Dne 05.01.2017 v 6:31 spaesani AT mail.com napsal(a):

"we can validate domain ownership"
"offer https support.."

I'd say that'd the tld operator's prerogative.

Wednesday, 04 January 2017, 01:28PM -05:00 from Jonah Aragon jonaharagon AT gmail.com:

Hello all,

I feel there's a strong need for a Certificate Authority under OpenNIC control so we can validate domain ownership and offer HTTPS support for domain holders without the need for self-signed certificates. Ideally this certificate would be installed as a Trusted Root Certificate in operating systems by every user wishing to join the OpenNIC network, which doesn't seem like too much of a stretch seeing as we already get users to change DNS settings manually.

There's many obvious benefits to setting a system up. It would allow for secure communications between users and OpenNIC enabled servers, and provides a level of trust that the site they're viewing is legitimate, as certificates will only be given to the domain holders, more on that below. Because only the domain holder could possibly have the key, it would mitigate threats of a rogue Tier 2 server changing domain records, maliciously or not. 

I think the best way to go about this would be creating a OpenNIC Root CA and using it to sign Intermediate CAs to each TLD operator. Certificate issuance would fall on the TLD operator's responsibility, either by issuing along with registrations automatically or having a certificate request section in their various control panels, etc. A drawback to this would be the trust needed in TLD operators to only issue legitimate certificates, but we already put a level of trust in Tier 1 operators anyways as they essentially make up the root of our system, so it isn't much of a stretch. I still think this method would work best because there isn't any better person to vouch for a domain's legitimacy than the registrar itself, as opposed to a centralized certificate request system.

If we were to do this, we'd primarily need to think of a system we all trust to issue the Root CA itself, because allowing a single person to issue it and hold the keys would hand them a lot of power, require a lot of trust, and it wouldn't really fit with the decentralized transparent faith of OpenNIC. I'm not sure of a surefire method to solve that particular problem, so I'd love to hear suggestions...

I know some people are already working on a CA for the network, so we could definitely use their help or ideas. Basically I want to make a solution to this problem official and prominently featured to entire as many users on the network as possible are using it, both end-users and server owners.

I'd love to hear all your thoughts on how we can accomplish this.

Jonah

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org