Skip to Content.
Sympa Menu

discuss - Re[2]: [opennic-discuss] Need for a OpenNIC TLD CA

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re[2]: [opennic-discuss] Need for a OpenNIC TLD CA


Chronological Thread 
  • From: spaesani AT mail.com
  • To: discuss AT lists.opennicproject.org
  • Subject: Re[2]: [opennic-discuss] Need for a OpenNIC TLD CA
  • Date: Fri, 06 Jan 2017 22:55:16 +0300

Indeed. And ICANN has it's certification tied to registrars making efforts to assure the whois records are honest and accurate.

The problem is that even at best It's false integrity assurance.

Real integrity assurance happens through pub key exchange and key integrity assurance and that is hindered, not helped,  by CAs.

Remember CAs were invented as part of a scam and a fraud initiated by shuttleworth and andreeson.
(Read up on Zimmerman's web of trust. No CAs. Shuttleworth drummed it up)

Now currently opennic doesn't pretend to assure integrity through whois nor does opennic push CAs. Of course that may change with membership motions and votes but you'll never see me condoning CAs or it's advocacy. It's both dishonest and not secure.

The best a tld operator can do is suggest and possibly provide a means and the tools to facilitate a registrant and their visitors most secure means of interaction.
That means moving them towards secure pub key exchange and key integrity assurance while advising them to potential  hindrances to that security. hindrances like CAs.



--
Sent from myMail for Android

Thursday, 05 January 2017, 07:25AM -05:00 from Jonah Aragon jonaharagon AT gmail.com:

Just pointing out nobody can reasonably verify domain ownership except TLD operators. There isn't like a centralized list of registrations or anything ;)

Jonah

On Jan 4, 2017 11:32 PM, <spaesani AT mail.com> wrote:

"we can validate domain ownership"
"offer https support.."

I'd say that'd the tld operator's prerogative.

Wednesday, 04 January 2017, 01:28PM -05:00 from Jonah Aragon jonaharagon AT gmail.com:

Hello all,

I feel there's a strong need for a Certificate Authority under OpenNIC control so we can validate domain ownership and offer HTTPS support for domain holders without the need for self-signed certificates. Ideally this certificate would be installed as a Trusted Root Certificate in operating systems by every user wishing to join the OpenNIC network, which doesn't seem like too much of a stretch seeing as we already get users to change DNS settings manually.

There's many obvious benefits to setting a system up. It would allow for secure communications between users and OpenNIC enabled servers, and provides a level of trust that the site they're viewing is legitimate, as certificates will only be given to the domain holders, more on that below. Because only the domain holder could possibly have the key, it would mitigate threats of a rogue Tier 2 server changing domain records, maliciously or not. 

I think the best way to go about this would be creating a OpenNIC Root CA and using it to sign Intermediate CAs to each TLD operator. Certificate issuance would fall on the TLD operator's responsibility, either by issuing along with registrations automatically or having a certificate request section in their various control panels, etc. A drawback to this would be the trust needed in TLD operators to only issue legitimate certificates, but we already put a level of trust in Tier 1 operators anyways as they essentially make up the root of our system, so it isn't much of a stretch. I still think this method would work best because there isn't any better person to vouch for a domain's legitimacy than the registrar itself, as opposed to a centralized certificate request system.

If we were to do this, we'd primarily need to think of a system we all trust to issue the Root CA itself, because allowing a single person to issue it and hold the keys would hand them a lot of power, require a lot of trust, and it wouldn't really fit with the decentralized transparent faith of OpenNIC. I'm not sure of a surefire method to solve that particular problem, so I'd love to hear suggestions...

I know some people are already working on a CA for the network, so we could definitely use their help or ideas. Basically I want to make a solution to this problem official and prominently featured to entire as many users on the network as possible are using it, both end-users and server owners.

I'd love to hear all your thoughts on how we can accomplish this.

Jonah


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org



Archive powered by MHonArc 2.6.19.

Top of Page