discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Amunak <amunak AT amunak.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Need for a OpenNIC TLD CA
- Date: Fri, 6 Jan 2017 19:40:14 +0100
The issue is that you issue intermediate CA certs for, say, 4 years. Now there is need to transfer the TLD to a new operator, or the old one disappears / stops issuing the certs or something and you need to make a new one. Fine, but the old one still works, and you can't just reject it as that would invalidate all the users' certs. Same goes for any other issues with the TLD operator (even just him leaking the private key accidentally, getting hacked, whatever). With DNS none of this is an issue since it's easy to "cut off" an operator if the need arises (just remove it from the list and perhaps send an informational email). And only a tiny portion of users is affected. And even existing users (provided that the operator - even if rogue in any way - still provides most replies correctly) are not too affected and have time to switch over. But certificates are centralized by design. If you want
to make issuance, signing, etc. secure you need to have the root
cert in a single place, controlled by single entity (that is made
of several trusted individuals). You need stuff like HSM that
mandate logging, allow auditing and don't allow the key(s) be
extracted. There is unfortunately no system in place where several
individuals would hold the keys and some kind of multisig
algorithm that would allow x out of y trusted people to sign (new)
valid certificates. Which means that at least the root cert must
be controlled in a centralized fashion (which I think we all agree
on as there is no way around that as far as I know). As for the intermediate certs you can have policies and procedures for the TLD operators but there is no way to enforce those. Or even check whether they are following them until something goes horribly wrong (and you potentially have to revoke the intermediate cert which means breaking websites and other services for tons of unsuspecting people with no time to react). You cannot control whether the list of certs signed/issued by them is complete, etc. And that's why I think it would be wise to not directly give TLD operators full access to the intermediate certs. I would actually argue that whoever does handle those certs (and the root cert) should ideally be different people from the TLD operators (if we have people capable of handling this) so that there is less room for abuse. Why less abuse? Because this creates a level of decentralization: TLD operators have immense power. They can silently point (even specific) people to different targets (websites) than they were asked to be on. Now if you combine that power with the power to issue valid certificates for that website (with no way to see that it happened - hence I argue for full certificate disclosure) you are giving even more easily abusable power to those people. Now I don't think any of our current TLD operators would actually do this, but it would be a way to mitigate possible future issues and it would also make sure that we can enforce certificate signing/issuance policies. Amunak Dne 05.01.2017 v 15:57 Jonah Aragon
napsal(a):
Forgot to mention, I think it would still be a good policy
for a list of issuances from each operator be made publicly
available.
We're not just going to give each operator an
Intermediate and have them do what they will completely, we'll
have to impose some guidelines for Intermediate holders to
follow for sure, with the penalty being revocation at the
root... Publishing a list of issuances and revocations is
definitely something that every party should do.
Jonah
On Jan 5, 2017 8:52 AM, "Jonah
Aragon" <jonaharagon AT gmail.com>
wrote: Well the idea behind intermediate CA certificates
for each operator is that they would be able to be
revoked if the need arises, which should mitigate
your concerns.
Better to not rely on a centralized
source for certificate issuance, in my opinion. That
goes for all OpenNIC projects, they can't rely on a
single process.
Jonah
On Jan 5, 2017 8:47 AM,
"Amunak" <amunak AT amunak.net>
wrote:
While I'd say it is, there should still
be auditable (and ideally public) list
of operators' actions regarding signing
certificates and such - I would not give
the private keys to intermediate certs
to TLD operators - I would only allow
them to use some API for signing (which
they could use in their application for
issuing certs for verified domain
owners). This also helps for cases when
TLD operator changes and such and
greatly mitigates risks with bad private
key handling. Dne 05.01.2017 v 6:31 spaesani AT mail.com napsal(a):
-------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org |
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, (continued)
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/06/2017
- Message not available
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Nadia Larsen, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Nadia Larsen, 01/07/2017
- Message not available
- Re[2]: [opennic-discuss] Need for a OpenNIC TLD CA, spaesani, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/07/2017
- Re[2]: [opennic-discuss] Need for a OpenNIC TLD CA, spaesani, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Theo B, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/06/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Amunak, 01/06/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/07/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Amunak, 01/06/2017
- Re: [opennic-discuss] Need for a OpenNIC TLD CA, Jonah Aragon, 01/05/2017
Archive powered by MHonArc 2.6.19.