Discuss mailing list

[Jonah Aragon <jonaharagon AT gmail.com>]

Actually just two I believe, the key and public certificate, other than that you're right. Basically the public cert will be posted on the homepage, etc. for everyone to add to their devices. The private key will be held by a to-be-determined authority who will be able to create certificates under the root.

The exact process we'll go about doing this is undetermined, but I'd imagine it'll go one of two ways:

1. Root CA is created and the key is kept completely offline. Intermediate CA certificates are granted for every TLD operator, to give them the ability to grant certificates to their users for each domain registered. The Root CA will keep a published revocation list to allow OpenNIC to revoke Intermedate certs in the unlikely case of abuse. The Root CA public certificate is available on the website for download and installation into users' systems. Once that certificate is installed, all certificates created by the Root and Intermediates will show as trusted in users' browsers.

2. Root CA is created and the key is kept completely offline. A single Intermediate "live" certificate is granted for use by every OpenNIC domain. TLD operators will be able to use an API system to give certificates to their users, but all certificates will come from that single source. The Root CA public certificate is available on the website for download and installation into users' systems. Once that certificate is installed, all certificates created by the Root and Intermediates will show as trusted in users' browsers. 

These two scenarios or a possible other scenario is what I'd like to discuss with people so we can finalize a plan.

Jonah

On Sun, Jan 8, 2017 at 6:05 PM Dustin Souers <texnofobix AT gmail.com> wrote:

There are 3 parts of each certificate: a key, a private cert, and a public cert. You do not want the key and private cert to be in the wild. In some places, they keep the private key and cert offline.

On Sun, Jan 8, 2017 at 6:13 PM, JC <jc AT motorsports-x.com> wrote:

Forgive my line knowledge of certificates... But isn't trust ensured through somehow sharing the root certificate?   In other words to negate the factor of the trustworthyness of the tld operator?    I'm all for Certs if they are secure and can be validated.  

On Jan 8, 2017 16:44, "Jonah Aragon" <jonaharagon AT gmail.com> wrote:

This is a primary concern of mine. I've been actually using ICANN versions of some OpenNIC websites (talkdotgeek.com instead of talk.geek, for example) simply because of HTTPS implementation on one and not the other.

Hopefully these problems can be solved with a central CA :)

Jonah