On Sat, Sep 28, 2024 at 07:43:09AM -0700, Watson Ladd wrote:
> > Nothing is gained by registries becoming (name constrained) WebPKI CAs.
> > Indeed that works poorly, because in the RRR model, the registrant has
> > no authenticated channel to the registry to request certificate
> > issuance, the registry works exclusively with registrars, who would then
> > become trusted RAs, and then the number of trusted parties grows out of
> > control.
>
> But if they can change who owns a domain there is currently no protection.
> Changing a domain gets you the ability to get a cert.
Of course, but certificate issuance gets rather complicated when it has
to be mediated via your registrar. This would be unlikely to be a free
or low-cost service, and we'd back to the days before Let's Encrypt.
And delegation of control to subsidiary organisations would be difficult
to implement, unless what each org gets from the registry is a name
constrained CA cert, but name constraints in X.509 are much too broken,
because there's no single namespace, instead name constraints per SAN
type, and with complex workarounds for IDNA, ...
And certificates in the WebPKI are not sufficiently precise, failing to
distinguish between multiple services on the same host, and with much
too frequent use of wildcard certs.
I don't see a realistic model that enshrines the registrars as a
*required* middle party in cert issuance. Some already operate
CAs, but not as a proxy for a registry.
--
VIktor.
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
