[Sovereign Keys] Evidence for claim - CA-signed certificate
Ondrej Mikle
ondrej.mikle at nic.cz
Sun Dec 18 15:23:48 PST 2011
Hi,
I'm a bit puzzled by the option of using CA-signed certificate to claim control
of DNS name. Despite having re-read the text couple of times, I think I'm not
understading it correctly.
According to my interpretation, owner of domain example.com can create
additional RSA/ECC sovereign key and obtain a CA-signed certificate that has the
key in SubjectPublicKeyInfo and domain's FQDN in CN/SAN.
Though this would create a loophole: if an attacker gains control of any CA (or
uses other tricks), he can issue himself a CA-certificate with key of his
choosing and use that certificate for claim of domain's ownership. What am I
missing?
Ondrej
More information about the Sovereign-Keys
mailing list