[Cryptography] Certificates and PKI

Anne & Lynn Wheeler lynn at garlic.com
Tue Dec 23 12:16:26 EST 2014


On 12/22/14 08:10, Paul Hoffman wrote:
> Not "magically", but systematically. Every domain owner has chosen a registry, and
> possibly a registrar (some registries do not have registrars). There is an established
> business relationship with the registry that means that you trust them with serving your
> name correctly. There is fate-sharing between the name you registered and the contents
> that the registry advertises. Given that fate-sharing, they are in a position to attach
> any DNS-specific semantics to your name, such as the DS records.

I've periodically commented that DNSSEC is something of a catch-22 for the CA domain name
certification business. Certification Authorities tend to rely on authoritative agencies
for the validity of the information that they are certifying ... in the case of domain names
... it is the domain name infrastructure.

domain name certificates were partially justified on issues with domain name infrastructure
integrity ... but it is the domain name infrastructure that is they trust root for the
information that they are certifying. They have partially backed DNSSEC to help improve
the integrity of the domain name infrastructure that they rely on ... aka an entity
registers a public key at the same time they register a domain name ... then all communication
is digitally signed and the domain name infrastructure can validate the communication
using the on-file public key (as countermeasure to domain name take-overs).

This also provides an opportunity for domain name CAs to require certificate applications
to be digitally signed ... and CAs can replace a time-consuming, expensive and error
prone identification process ... with a much more efficient and reliable authentication
process by retrieving the same public key for validating the domain name certificate
application.

The catch22 then becomes if the domain name CA industry can rely
on the "on-file" public keys ... then others might also
... eliminating need for the domain name digital certificates.

-- 
virtualization experience starting Jan1968, online at home since Mar1970


More information about the cryptography mailing list