On Fri, 27 Sep 2024, 22:36 Watson Ladd, <watsonbl...@gmail.com> wrote:
> On Fri, Sep 27, 2024 at 1:34 PM Dmitry Belyavsky <beld...@gmail.com> > wrote: > > > > It looks like a terrible idea for me. > > > > Imagine a country that currently doesn't have any trusted roots included > in browser's bundle. Currently such countries can suspend any domain in > their zone. Your proposal gives them an opportunity to transparently > replace the certificate that gives much more capabilities. > > They already have the ability to get a certificate for the name after > redirecting it, because control of DNS is what the WebPKI checks for. > > We would likely still need CT. > If the DNS provider is abroad, they can't do it smoothly, the DNS change will be detectable. Your propose lowers the barrier. > > > > > > > On Fri, 27 Sep 2024, 20:56 Watson Ladd, <watsonbl...@gmail.com> wrote: > >> > >> Dear all, > >> > >> Spurred by recent IDs and events I've been thinking harder about how > >> to get what we want out of TLS, DNS, and their interaction at the > >> WebPKI. > >> > >> Fundamentally browsers can't rely on DNS to provide information about > >> authentication because resolvers break that connection, and enforcing > >> that means a lot of important things don't work. DNSSEC never gives > >> the right signal (vanishes at resolver) so DANE doesn't really work, > >> even if we could resolve extra records reliably. > >> > >> To my mind the registry should be able to issue X509 certs for second > >> level domains/whoever controls a public suffix. After all, they know > >> where you change DNS. Haven't sorted out how to deal with the level > >> below that. Do others find this line of thought compelling? > >> > >> Sincerely, > >> Watson Ladd > >> > >> -- > >> Astra mortemque praestare gradatim > >> > >> _______________________________________________ > >> Uta mailing list -- uta@ietf.org > >> To unsubscribe send an email to uta-le...@ietf.org > > > > -- > Astra mortemque praestare gradatim >
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
