On Fri, Sep 27, 2024 at 1:34 PM Dmitry Belyavsky <beld...@gmail.com> wrote: > > It looks like a terrible idea for me. > > Imagine a country that currently doesn't have any trusted roots included in > browser's bundle. Currently such countries can suspend any domain in their > zone. Your proposal gives them an opportunity to transparently replace the > certificate that gives much more capabilities.
They already have the ability to get a certificate for the name after redirecting it, because control of DNS is what the WebPKI checks for. We would likely still need CT. > > > On Fri, 27 Sep 2024, 20:56 Watson Ladd, <watsonbl...@gmail.com> wrote: >> >> Dear all, >> >> Spurred by recent IDs and events I've been thinking harder about how >> to get what we want out of TLS, DNS, and their interaction at the >> WebPKI. >> >> Fundamentally browsers can't rely on DNS to provide information about >> authentication because resolvers break that connection, and enforcing >> that means a lot of important things don't work. DNSSEC never gives >> the right signal (vanishes at resolver) so DANE doesn't really work, >> even if we could resolve extra records reliably. >> >> To my mind the registry should be able to issue X509 certs for second >> level domains/whoever controls a public suffix. After all, they know >> where you change DNS. Haven't sorted out how to deal with the level >> below that. Do others find this line of thought compelling? >> >> Sincerely, >> Watson Ladd >> >> -- >> Astra mortemque praestare gradatim >> >> _______________________________________________ >> Uta mailing list -- uta@ietf.org >> To unsubscribe send an email to uta-le...@ietf.org -- Astra mortemque praestare gradatim _______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org