And it's not just decentralizing trust, but also further centralizing it: Instead of a list of CAs you can trust/not trust, you tie everything back to the DNSSEC root keys and your TLDs master keys.
My idea for letting the trust being tied to the Root and TLD master keys was more in spirit of allowing people to have more say in SSL. The Internet is technically centralized to the IP and DNS namespace already so for me it seemed like the next step in the chain. While we centralize one part of the Internet we also open it up to allow for alternative root projects like OpenNIC to be able to establish community-based chains of trust.
Like I know one of the big problems with OpenNIC is nobody can really use SSL since if you trust a third party CA they can just sign for anybody without limits, and if you run both a DNS and CA service there then you have everything you would need to do large scale SSL interception in those cases :(
>if you trust a third party CA they can just sign for anybody without limits
It is possible for a root certificate to have a name constraint making all certificates issued for other e.g. TLDs invalid. Like it is done in dn42 CA.
Yes, that's the nicer solution, and it seems Apple finally got around to adding support for it as well a while back - for a long time they didn't support it, so name constraints broke validation for Safari and Chrome on macOS.
Your suggestion is to tie everything to the ownership of alternative root KSK. Meaning that you are explicitly blocking the possibility of multiple CAs for the project.
7 comments
[ 3.6 ms ] story [ 20.4 ms ] threadAnd it's not just decentralizing trust, but also further centralizing it: Instead of a list of CAs you can trust/not trust, you tie everything back to the DNSSEC root keys and your TLDs master keys.
My idea for letting the trust being tied to the Root and TLD master keys was more in spirit of allowing people to have more say in SSL. The Internet is technically centralized to the IP and DNS namespace already so for me it seemed like the next step in the chain. While we centralize one part of the Internet we also open it up to allow for alternative root projects like OpenNIC to be able to establish community-based chains of trust.
Like I know one of the big problems with OpenNIC is nobody can really use SSL since if you trust a third party CA they can just sign for anybody without limits, and if you run both a DNS and CA service there then you have everything you would need to do large scale SSL interception in those cases :(
It is possible for a root certificate to have a name constraint making all certificates issued for other e.g. TLDs invalid. Like it is done in dn42 CA.