It looks like a terrible idea for me. Imagine a country that currently doesn't have any trusted roots included in browser's bundle. Currently such countries can suspend any domain in their zone. Your proposal gives them an opportunity to transparently replace the certificate that gives much more capabilities.
On Fri, 27 Sep 2024, 20:56 Watson Ladd, <watsonbl...@gmail.com> wrote: > Dear all, > > Spurred by recent IDs and events I've been thinking harder about how > to get what we want out of TLS, DNS, and their interaction at the > WebPKI. > > Fundamentally browsers can't rely on DNS to provide information about > authentication because resolvers break that connection, and enforcing > that means a lot of important things don't work. DNSSEC never gives > the right signal (vanishes at resolver) so DANE doesn't really work, > even if we could resolve extra records reliably. > > To my mind the registry should be able to issue X509 certs for second > level domains/whoever controls a public suffix. After all, they know > where you change DNS. Haven't sorted out how to deal with the level > below that. Do others find this line of thought compelling? > > Sincerely, > Watson Ladd > > -- > Astra mortemque praestare gradatim > > _______________________________________________ > Uta mailing list -- uta@ietf.org > To unsubscribe send an email to uta-le...@ietf.org >
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
