[SSL Observatory] SSL CA compromise in the wild
Steve Schultze
sjs at princeton.edu
Wed Mar 23 09:43:57 PDT 2011
On Mar 23, 2011, at 12:32 PM, Ludwig Nussel wrote:
> Steve Schultze wrote:
>>> A problem of course is trying to put the smoke back in the bottle -
>>> going to CAs and telling them their broad signing powers are now going
>>> to be restricted. It'd be extremely difficult if not impossible to
>>> regulate signing certs already issued, and trying to regulate them
>>> going forward would probably bring cries of anger from the signers who
>>> want to be 'grandfathered' in and have the overarching powers of the
>>> signers that got there first.
>>
>> Yes, this is the biggest problem. Also, how do you decide which CAs have
>> authority for which ccTLDs? Is it based on the country in which they do
>> business? That's what Chris Soghoian has suggested.
>>
>> What about non-ccTLDs?
>
> The domain registry could simply issue the certificate at the same
> time it assigns the domain name.
That is an equivalent structure to signing DNS with DNSSEC, allowing the registrant to place a DS record in the parent zone, and implementing a standard for domain holders to place keys in their zone... which is what DANE is about:
https://www.ietf.org/mailman/listinfo/keyassure
I think that DANE is a better mechanism for doing so, rather than perpetuating the current CA/X.509 system... and it has the benefit of being deployable in parallel so that we don't need to force CAs to make the change themselves (which they would never do).
More information about the Observatory
mailing list