On 9 April 2014 21:15, Steve Crocker <steve@xxxxxxxxxxxx> wrote:
My own opinion is related but not identical. I agree solutions 1 and 3 are failures; 1 doesn’t provide the trust and 3 doesn’t scale. Solution 2 is also problematic because the government tends to overreach and there isn’t a single government.
DNSSEC provides a base platform to build upon. It doesn’t claim to provide the level of trust the CA system tried to provide. That’s a key strength, not a weakness.
DNSSEC, and DANE, allow you to provide a "Domain Validated" public key, much like the cheap/free certificates currently available from CAs, but more reliably and simply. I think the same level of trust is there either way, except that the cheap/free CA certs are very weakly validated in practise.
CAs can provide actual identity assertions, and in private situations authorization information.
I suspect that if we can get DANE deployed, we'll see most of the cheap and somewhat useless CAs vanish, and only those with reasonable tust remaining survive on fully validated, EV et al, certs, actually, but that's besides the point.
I wonder if we can't use DANE, S/MIME, WebFinger and a little sensibly-applied PKI, so that:
1) You could find out assertions of what CA (if any) users of a particular domain use for end-user client certificates via a TLSA record. Say _users IN TLSA ...
2) We can use WebFinger to find the certificate itself, and therefore a possibly signed assertion of actual identity, both WebFinger and this certificate protected currently by stock PKIX (and in the future, DANE).
I think this gives you essentially everything anyone might want, but for added bonuses, we could do a web-of-trust thing hanging off WebFinger (publish any signatures anyone else is prepared to give you) or via public services.
However, it's probably been suggested before and shot down before, so feel free to point me to its death notice. :-)
Dave.