On Tuesday, 14 November 2017 16:31:34 UTC, Kathleen Wilson wrote: > Based on information from folks that are monitoring their NS Records, we > believe that the .tg Registry problems were fixed on November 1, and > have remained fixed since then. > > I have not looked into how Registries are operated and maintained, so > here is my personal (uneducated) opinion: I think it is possible that > the .tg Registry could be compromised again. I have no idea if all of > the newer Registries are using good network and security protocols, > infrastructure, etc.
Can we loop in somebody (from ICANN maybe? or the root operators?) who can speak for the top level? Do they actually have any power or influence over ccTLDs at all ? Do these registries in practice actually do anything they're told or are they a law unto themselves? It seems to me there's a bunch of options here At one extreme we just accept that some TLDs will be poorly run, entities like Google that have acquired 2LDs in every suffix they can will have cause to regret this but it's not our fight. Certificates for google.tg will be properly issued to whoever happens to persuade the broken .tg registry system to agree they own it that morning, and if asked we point to the .tg registry because it's their problem. Because the DNS is a hierarchy this has no impact for people whose names aren't under poorly run registries, and the incentive to run registries properly lies with the registrars who can expect nobody to bother paying for something that's now effectively worthless. A middle path is that CA/B or Mozilla on its own, decides that registries which can't manage this sort of thing properly aren't able to deliver on the promise that names should be "meaningful" and so a list of registries will be blacklisted and all names under those suffixes will be ineligible for Web PKI certificates, it would then always be mis-issuance to issue for such names at all. And at another extreme Mozilla could decide that Firefox, the browser, won't trust such names, and blacklist suffixes at its sole discretion, affected DNS names would simply never get treated as secure in Firefox - it would be acceptable to issue certificates but they won't make any difference for those names. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy