Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Need for a OpenNIC TLD CA

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Need for a OpenNIC TLD CA

Chronological Thread 
  • From: opennic AT
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Need for a OpenNIC TLD CA
  • Date: Mon, 9 Jan 2017 12:59:08 +1100 (AEDT)


As one who was once heavily involved with the internal CA for a major banking institution I have to weigh in here.

On Mon, 9 Jan 2017, Jonah Aragon wrote:

1. Root CA is created and the key is kept completely offline.

This is standard practice for CAs. Additionally, the machine used to generate Intermediate Issuer keys is kept offline as well: no network connection at all. When new certificates are issued, all root CA stakeholders must be physically present to enter their portion of the key passphrase.

CA certificates are granted for every TLD operator, to give them the
ability to grant certificates to their users for each domain registered.

The trick here will be to restrict them to issuing certs for just their own TLD. I don't believe such a restriction exists for certs. The only mechanism I can suggest is an active, post-hoc revocation of any inappropriately issued certs. This brings with it a whole separate management issue.

The Root CA public certificate is available on the website for download and installation into users' systems. Once that certificate is installed, all certificates created by the Root and Intermediates will show as trusted in users' browsers.

Often the intermediate will have to be explicitly trusted as well, unless the certs are provided in a chain file.

2. Root CA is created and the key is kept completely offline. A single
Intermediate "live" certificate is granted for use by every OpenNIC domain.
TLD operators will be able to use an API system to give certificates to
their users, but all certificates will come from that single source.

A common, credential-based system poses its own risks. I would not recommend exposing any parts of the issuing mechanisms to unauthorised use by providing them online. Since we can assume OpenNIC users have a certain level of technical skill we could oblige them to provide TLD issuers with CSRs and get the issuer to follow a more or less manual process. Given the likely low volume of certificates this should not be an onerous task.

Chris Gillings

Archive powered by MHonArc 2.6.19.

Top of Page