
DNSSEC-Like Trust for Certificate Authorities - therealEleix
https://gist.github.com/Eleix/7b093de5f84bfb38503215955857a2ae
======
therealEleix
Asking for discussion. Original text goes over HN's character limit for text
entries.

~~~
detaro
What you are describing sounds like DANE.

And it's not just decentralizing trust, but also further centralizing it:
Instead of a list of CAs you can trust/not trust, you tie everything back to
the DNSSEC root keys and your TLDs master keys.

~~~
therealEleix
You're right, I completely spaced about DANE.

My idea for letting the trust being tied to the Root and TLD master keys was
more in spirit of allowing people to have more say in SSL. The Internet is
technically centralized to the IP and DNS namespace already so for me it
seemed like the next step in the chain. While we centralize one part of the
Internet we also open it up to allow for alternative root projects like
OpenNIC to be able to establish community-based chains of trust.

Like I know one of the big problems with OpenNIC is nobody can really use SSL
since if you trust a third party CA they can just sign for anybody without
limits, and if you run both a DNS and CA service there then you have
everything you would need to do large scale SSL interception in those cases :(

~~~
foxcpp
>if you trust a third party CA they can just sign for anybody without limits

It is possible for a root certificate to have a name constraint making all
certificates issued for other e.g. TLDs invalid. Like it is done in dn42 CA.

~~~
detaro
Yes, that's the nicer solution, and it seems Apple finally got around to
adding support for it as well a while back - for a long time they didn't
support it, so name constraints broke validation for Safari and Chrome on
macOS.

