[Cryptography] "Trust in digital certificate ecosystem eroding"

Anne & Lynn Wheeler lynn at garlic.com
Mon May 4 16:56:59 EDT 2015


On 05/04/15 06:16, Ben Laurie wrote:
> Why? DNSSEC has its equivalent of CAs/RAs: registries and registrars.
> Why do you think they'll do any better a job of verifying ownership
> than CAs do?

Certification authorities tend to certify the information from authoritative
agencies responsible for the information ... in the case of domain name
ownership ... it is the domain name agencies. Domain Name Certification Authorities
have had a catch-22 ... proposing various public key and digital signature
changes to domain name registration for improving the trust and integrity in the information
they are certifying (and countermeasure to various domain name registration exploits
like domain name take-over). The registration of a public key at the same
time as domain name registration ... then requires that all future communication
arriving at the domain name authority is digitally signed ... and can be
authenticated with the on-file public key (for that domain name).

The issue then for the CAs is they can require that an application for
domain name digital certificate can also be required to be digitally
signed ... and they can replace an error prone, complicated, and costly
identification process with a much simpler, straight-forward and less
expensive authentication process ... by retrieving the onfile public
key for verification of the digital signature.

The result is not only improving the trust and integrity with the domain
name registration ... but also improves the domain name CA process.

The catch22 is that if the CA business can do real time retrievals
of on-file public key for authentication ... then possibly others might also
... reducing the need for domain name digital certificates.

-- 
virtualization experience starting Jan1968, online at home since Mar1970


More information about the cryptography mailing list