Discuss mailing list

[Jonah Aragon <jonaharagon AT gmail.com>]

> 1. Root CA is created and the key is kept completely offline.

This is standard practice for CAs.  Additionally, the machine
used to generate Intermediate Issuer keys is kept offline as
well: no network connection at all.  When new certificates are
issued, all root CA stakeholders must be physically present to
enter their portion of the key passphrase.

This is more or less the plan, the public key would never see any connection to another computer. I'm not sure how to devise a way to have multiple stakeholders since it clearly isn't ideal to physically meet up, that will have to be discussed later.

 

> CA certificates are granted for every TLD operator, to give them the
> ability to grant certificates to their users for each domain registered.

The trick here will be to restrict them to issuing certs for
just their own TLD.  I don't believe such a restriction exists
for certs.  The only mechanism I can suggest is an active,
post-hoc revocation of any inappropriately issued certs.  This
brings with it a whole separate management issue.

This is the primary issue with #1, I'm not sure if we can technically restrict it this way. If we went down this route maybe there would just have to be some strict auditing in place? And like you said, revocation of the certs in question. Possibly revocation of their entire CA if they're maliciously abusing it.

 

> The Root CA public certificate is available on the website for
> download and installation into users' systems. Once that
> certificate is installed, all certificates created by the Root
> and Intermediates will show as trusted in users' browsers.

Often the intermediate will have to be explicitly trusted as
well, unless the certs are provided in a chain file.

We would probably just have to provide pre-made chain files for webmasters for the sake of user-convenience, especially if we have many Intermediates. OpenNIC is already relatively technically difficult to setup for the average person, no need to push it :)

 

> 2. Root CA is created and the key is kept completely offline. A single
> Intermediate "live" certificate is granted for use by every OpenNIC domain.
> TLD operators will be able to use an API system to give certificates to
> their users, but all certificates will come from that single source.

A common, credential-based system poses its own risks.  I would
not recommend exposing any parts of the issuing mechanisms to
unauthorised use by providing them online.  Since we can assume
OpenNIC users have a certain level of technical skill we could
oblige them to provide TLD issuers with CSRs and get the issuer
to follow a more or less manual process.  Given the likely low
volume of certificates this should not be an onerous task.

If we went with this route we'd likely have a Boulder (see Let's Encrypt) implementation setup. Webmasters would use certbot/letsencrypt with the server flag to specify our server as the CA instead of Let's Encrypt's. It's a pretty neat implementation, ACME is, and that would be nice to setup. We aren't doing any validation outside of simple domain validation so it would certainly work.

 

Regards,
--
Chris Gillings

Thanks! If you plan on being more active in the community maybe you'd be interested in joining the Working Group I'm forming about this topic, we could use your input.

Jonah