we need this, but will it work?

Story: DNS record will help prevent unauthorized SSL certificatesTotal Replies: 6
Author Content
mbaehrlxer

Apr 17, 2017
1:24 AM EDT
i have long believed that allowing any certificate authority (or anyone really) to create certificates for any site is just wrong because there is no way for the visitor to tell if the certificate is genuine.

however, i wonder if this solution goes far enough.

for one, there still is dns spoofing. it i see it happening with an alarming regularity.

also, if i read this correctly, then that new dns record only specifies a domain name. which means it only works for CAs the browser has already stored, because otherwise the CA itself could be spoofed.

why not store the actual public signing key in the dns record? this way we could do away with CAs alltogether because the dns entry can now be used to verify a selfsigned certificate.

this could be used for ssh too.

now we only need to solve dns spoofing. (i know technical solutions already exist, dnssec, etc, but they aren't in widespread use yet, or or, if i understand it correctly, there is no consensus on which solution should be chosen)

greetinge, eMBee.
dotmatrix

Apr 17, 2017
8:36 AM EDT
>for one, there still is dns spoofing. it i see it happening with an alarming regularity.

The fix for this is DNSSEC, as you pointed out. It is not widely deployed because of... IMO... misinformation.

>why not store the actual public signing key in the dns record? this way we could do away with CAs alltogether because the dns entry can now be used to verify a selfsigned certificate.

Yup... I don't understand why it's not done this way. If each domain owner placed a public key in DNS for use as a TLS trust root, CAs would be entirely unnecessary for basic encrypted traffic. There is another function of CAs, and that is to determine the actual identity of a business. However, the government already does this..

So, a much better system than having corporate CAs sign domain owner public keys is... have the domain owner place a public key directly into DNS, and have the government sign those keys if a business applies for a signature. And then... no more CAs at all.

>this could be used for ssh too.

This exists for ssh. It's been a standard for a long time. Unfortunately it seems uncommon for registrars to support the sshfp record:

https://en.wikipedia.org/wiki/SSHFP_Resource_Record
mbaehrlxer

Apr 17, 2017
11:59 AM EDT
hah, ask and you shall receive! thank you. i am going to see if my dns provider supports sshfp. if not then it's one more reason to eventually go back to my own dns servers.

as far as the identity of a business goes, i don't actually trust CAs to be able to provide that. they are not asking for my business license when i register a domain, so how could they verify anything. and as you say that's the governments job anyways.

greetings, eMBee.
dotmatrix

Apr 17, 2017
8:22 PM EDT
>they are not asking for my business license when i register a domain, so how could they verify anything.

CAs usually offer a high priced certificate called an Extended Validation cert...

https://en.wikipedia.org/wiki/Extended_Validation_Certificate

Wikipedia wrote:EV HTTPS certificates contain a subject with X.509 OIDs for jurisdictionOfIncorporationCountryName, businessCategory, and serialNumber, with the serialNumber pointing to the ID at the relevant secretary of state (US) or national government business registrar (outside US), as well as a CA-specific policy identifier so that EV-aware software, such as a web browser, can recognize them.

EV certificates use the same encryption as organization validated certificates and domain validated certificates: the increase in security is due to the identity validation process, which is indicated within the certificate by the policy identifier.

...

EV certificates are validated against both the Baseline Requirements and the Extended Validation requirements, which place additional requirements on how authorities vet companies. These include manual checks of all the domain names requested by the applicant, checks against official government sources, checks against independent information sources, and phone calls to the company to confirm the position of the applicant. If the certificate is accepted, the government-registered serial number of the business as well as the physical address are stored in the EV certificate.


The EV cert turns the bar 'green'... and the CA is required to ask for business documents in order to issue the cert.

***********

My argument is that the government has already issued the business documents along with a tax ID. The government could run its own cryptographic signing service which allows domain owners who are also business owners to submit a domain public key for TLS which the government could then sign. The government signature on the domain public key would then 'turn the bar green'...
nmset

Apr 23, 2017
4:30 AM EDT
CA

Who gave them authority ? Isn't their root certificate self signed ? Can't they spoof an individual or company by issuing false 'digital papers' when the circumstances command ? (The government can issue false passports or identity cards for example). Isn't it an industry imposed model for their own sake ?
mbaehrlxer

Apr 23, 2017
12:00 PM EDT
good questions.

at this point, i think the authority comes from the browser vendors who include certain CAs in their trust list.

so the authority comes from the fact that the browsers trust them.

greetings, eMBee.
dotmatrix

Apr 23, 2017
3:03 PM EDT
@eMBee: >so the authority comes from the fact that the browsers trust them.

Hence the booting out of my prior go-to CA... StartSSL.

My problem with the CA trust model is that the trust root is not explicitly determined by either the browser user or the domain owner.

@nmset: >Isn't it an industry imposed model for their own sake ?

That's my view as well. I call the CA trust model, the Trust Cartel. They sell an expensive product anyone can create for just a few cents of processing power. Also, the browsers are complicit in the Trust Cartel's actions.

At this point, there is zero reason to employ a CA trust model for Domain Validated certs. It could be argued that DV certs provide only slightly more Assurance than a self-signed cert. Public keys placed in DNS by the domain owner would provide far more Assurance. And if the domain is also signed through DNSSEC, then the Trust Assurance would be quite high.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!