On 16/04/2016 3:22 AM, Robin Humble via luv-main wrote:
On Sat, Apr 16, 2016 at 02:35:20AM +1000, Andrew McGlashan via luv-main wrote:
How about having fingerprints saved in DNS records, self-signed or "official" CA signed certs ?
Certs for the domain in DNSSEC for the domain. sounds good. I've heard folks who know a lot more than me about protocols and security discuss it favourably. is it an RFC?
Good question, don't know the answer. But I've just thought of another solution. Every single domain has a registrar. Each registrar should be required to offer proof of ownership of the domain so that we can get certificates easily. You have a "proof" of ownership in the form of signed data only accessible from the login for the domain management. You sign this data with a GPG key for an email that is set up on one or more of the domain's contact names (every contact type should be able sign the request). The public key identifier for that email resides on record at the registrar (not the private key of course). Now, you don't need to farts around with stopping / starting servers or use manual processes to attain certs that require you to jump through lots of hoops. Your CSR can include your proof from the registrar (signed by them), then counter signed by you. Then Let's Encrypt can provide the required certificate(s) and chain files. Automation of letsencrypt can be problematic, you need too much extra rubbish installed for that. The manual process (for use via servers that don't host the website(s) or mail services for instance) is still labour intensive; having to create files in well known areas and populate them with specific data and repeat that every time you renew the certificate. Whilst we continue to have a CA system, then it may as well be made less painful than even letsencrypt has managed thus far. The latest thoughts also lessens the chance that anyone with access to a web server for a domain name may create certificates without proper authority. Perhaps the registrar can also be expected to keep certificate fingerprints available on line (for each and all certificates relating to the domain names), but this might be a step too far. More thoughts? Cheers AndrewM