On Mon, 2012-12-31 at 16:26 +0100, Kai Engert wrote: > I propose to more actively involve users into the process of accepting > certificates for domains.
I propose the following in addition: Each CA certificate shall have a single country where the CA organization is physically located (they already contain that). If the CA's country matches the country of the domain being visited, then we proceed automatically. Example: A US based CA and a user visiting a .us site. If the domain being visited is a non-country specific domain, like .com or .org, then we could securely query the domain registry. We could "pin" in the software, which set of CAs are allowed for talking SSL/TLS to a domain registry. The CA should be located in the same country where the root zone of that domain is being operated. We learn that a specific domain is registed in the US. If the CA used by the site is based in the US, too, everything is fine. Or if the domain is registed in Germany, and the site presents a certificate from a german CA, we could accept it too. For all scenarios where we see a mismatch, it could be argued that something is wrong, and we could use the UI that I have described. Maybe that can be further enhanced. This system would encourage local authorities, and reduce the power of the currently big players in the CA world. (I'd prefer such a system over DNSSEC, where everything chains up to a single key in just one country.) Kai (Credits: Thanks to @_not_you who suggested to find some heuristic to improve this proposal.) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto