[Cryptography] Certificates and PKI

Paul Hoffman paul.hoffman at vpnc.org
Tue Dec 23 11:12:22 EST 2014


On Dec 23, 2014, at 2:56 AM, Ben Laurie <ben at links.org> wrote:
> On 22 December 2014 at 16:10, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>> On Dec 22, 2014, at 5:33 AM, Ben Laurie <ben at links.org> wrote:
>>> But also: DANE puts registries and registrars in the roles of CA and
>>> RA. If we think CAs are not a good solution, how is it the
>>> registries/registrars magically are?
>> 
>> Not "magically", but systematically. Every domain owner has chosen a registry, and possibly a registrar (some registries do not have registrars). There is an established business relationship with the registry that means that you trust them with serving your name correctly. There is fate-sharing between the name you registered and the contents that the registry advertises. Given that fate-sharing, they are in a position to attach any DNS-specific semantics to your name, such as the DS records.
> 
> I'm not getting the distinction you're making here. This sounds pretty
> much exactly like the relationship you have with a CA...

Not at all. As a bunch of other folks indicated on this thread:

- In the DNS model, the registry completely controls the domain by controlling the NS records, and even the existence of the domain. Thus, it saying "and here's the signing key that the domain will use" is no more control than it already has.

- In the CA model, the CA has no control over the domain itself. If a CA wants to "take control away" from a domain owner, it can issue a cert to someone else, but the domain still belongs to the original owner. All that CA can do is to say "if you got here through bad information, I can pretend that this domain belongs to these other folks".

Many of us believe that this is a strong distinction.

--Paul Hoffman


More information about the cryptography mailing list