Ask Slashdot: Does SSL Validation Matter? 243
An anonymous reader writes "Right now, in an email list excluded from the public eye, some bright people are discussing the future of SSL. Under debate is (a) do they allow DV (domain only validation) certificates to continue to exist (exist for e-commerce use? only encryption use?) or do they require a higher degree of certificate validation? (b) Do they allow certificates to be issued with non-unique common names (certificates used on internal networks, think your exchange server) or do they ban the practice? If this were 'hypothetically' a heated debate going on right now and you could chime in, what would you say?"
SSL decisions in secret? (Score:3, Insightful)
What's disturbing is that whoever is allowed on this mailing list imagine that they can make decisions out of the public eye and in secret. I call for them to make their discussions public immediately, with their list open to subscriptions and posting, and all past messages archived on the web for all to read. Failing that, we must ensure that no one respects the decisions of any committee operating in secret, for if they hide from the public, they don't have our interests at heart.
Re:Governments and banks should take care of it. (Score:2, Insightful)
For SSL protection of your web site, the government should issue SSL certificates...
Yes, because as we all know governments are the end all of sweetness and light. (Hint, I don't trust my government. I hope you are happy with yours.)
Re:Get DNSSEC hosted SSL-keys working (Score:4, Insightful)
There is nothing that says you can't use DNSSEC for any clients that support it and certificates signed by traditional CAs for those that don't, until such time as there are so few non-DNSSEC supporting clients that you can do away with the CAs.
You can even put a scary message on web pages for non-DNSSEC supporting clients saying (truthfully) how their computer is insecure and pointing them to a place where they can update their software to support DNSSEC.
Re:Get DNSSEC hosted SSL-keys working (Score:4, Insightful)
Provided all clients support DNSSEC, which probably won't happen for several years.
Then we could introduce the concept of a public notary, which would be a DNSSEC enabled server that will vouch for the server.
For example... we could eliminate all trusted CA certificates, and replace them with trusted notary certificates.
The rules regarding notaries issuing certificates for domain names or any subdomain could be something like: (1) any notary issued certificate must be valid for no longer than 1 hour.
(2) a notary certificate can only be issued after comparing the details of the CSR presented, with a valid DNSSEC distributed public key, and finding the Subject name and public key details identical.
(3) a certificate for an e-mail address (e.g. for S/MIME), for code signing, or AD/LDAP Directory authentication, may be issued for a longer period, but must not be valid after the current expiration date of the domain name, and for issuance, SSL keys must be distributed under a DNSSEC validated subdomain that [1] identifies the desired subject of the certificate, [2] identifies the desired duration of the certificate, and [3] identifies the public key, etc.... all CSR details must be mirrored in the DNS record, and all signed using DNSSEC
Re:Get DNSSEC hosted SSL-keys working (Score:2, Insightful)
As you pointed out, it's not a fault of TLS as a protocol. TLS is a decent protocol, but the trusted roots part is not the best approach. I really have much better trust in DNSSEC as an approach. I just wish there was a generic way of publishing all keys over DNS (instead of LDAP) for SSH, PGP, S/MIME, SSL and anything else.
I haven't read up that much on who is actually in control with DNSSEC, but wouldn't that basically put all trust in those whom sell domain names? Sure people and companies can setup their own DNS roots, but that would be equivalent of setting up your own CA today?
Of course, I still strongly support the idea of DNSSEC in principle, but only because it's more secure than not having any security at all. I'm definitely not convinced that it, or CAs for that matter, are sufficiently secure.