On 16/04/2016 3:22 AM, Robin Humble via luv-main wrote:
On Sat, Apr 16, 2016 at 02:35:20AM +1000, Andrew
McGlashan via luv-main wrote:
How about having fingerprints saved in DNS
records, self-signed or
"official" CA signed certs ?
Certs for the domain in DNSSEC for the domain. sounds good.
I've heard folks who know a lot more than me about protocols and
security discuss it favourably.
is it an RFC?
Good question, don't know the answer.
But I've just thought of another solution.
Every single domain has a registrar. Each registrar should be required
to offer proof of ownership of the domain so that we can get
certificates easily. You have a "proof" of ownership in the form of
signed data only accessible from the login for the domain management.
You sign this data with a GPG key for an email that is set up on one or
more of the domain's contact names (every contact type should be able
sign the request). The public key identifier for that email resides on
record at the registrar (not the private key of course).
Now, you don't need to farts around with stopping / starting servers or
use manual processes to attain certs that require you to jump through
lots of hoops. Your CSR can include your proof from the registrar
(signed by them), then counter signed by you. Then Let's Encrypt can
provide the required certificate(s) and chain files.
Automation of letsencrypt can be problematic, you need too much extra
rubbish installed for that. The manual process (for use via servers
that don't host the website(s) or mail services for instance) is still
labour intensive; having to create files in well known areas and
populate them with specific data and repeat that every time you renew
Whilst we continue to have a CA system, then it may as well be made less
painful than even letsencrypt has managed thus far. The latest thoughts
also lessens the chance that anyone with access to a web server for a
domain name may create certificates without proper authority. Perhaps
the registrar can also be expected to keep certificate fingerprints
available on line (for each and all certificates relating to the domain
names), but this might be a step too far.