Re: Using DNS system as a Global Root Certificate Authority - possible ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is very similar to what the DANE working group is working on - https://datatracker.ietf.org/wg/dane/charter/

I'd suggest you start with RFC6394, and then RFC6698, followed by RFC7671.

W


On Sat, Dec 26, 2015, 3:23 PM Alexey Eromenko <al4321@xxxxxxxxx> wrote:
Hi all,

Assume DNS system added a new resource record (RR), which allowed to
publish the public key for a particular FQDN.

How secure or insecure that would be.

Is there a way to *securely* retrieve such information from, for
example, authoritative
DNS server, without any middlebox (such as DNS proxy) mangling it ?

And having TLD DNS servers as the top "Root Certificate Authorities".

so X.509 SSL certificate chain could look like:

- "."
+- ".com."
|--+ "company_abc.com."
|-----+ "www.company_abc.com."
|-----+ "mail.company_abc.com."
|-----+ "ftps.company_abc.com."
etc...

I am not yet sure if this is possible or not, just loud thinking...
In theory, if possible, this should simplify certifications and make
it easier to start an HTTPS server, cutting Verisign and friends out
of the loop.

What do you think ?
--
-Alexey Eromenko "Technologov"


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]