Root Key Storage

The purpose of the Encryption Working Group is to devise an official Root Certification Authority system for issuing server certificates to OpenNIC domains and user certificates to OpenNIC members.

Moderator: Encryption WG

pfo
Posts: 11
Joined: Tue Feb 07, 2017 10:03 pm

Re: Root Key Storage

Postby pfo » Thu Feb 16, 2017 10:40 am

Okay, good. I believe the next step is to ask the T1 operators if they are on board and if they are, to set up those TXT records. Are you in contact?

Rootadmin1 should be among them, I suppose at least one T1 Operator knows OpenSSL good enough to do that job. Perhaps verax, he is active in this thread as well. Since I believe you would take responsibility as the (or: a) Sysadmin, it can not be you, Jonah, but you can select one.

JonahAragon
T1 Operator
Posts: 27
Joined: Mon Dec 05, 2016 4:22 pm
Location: Minnesota
Contact:

Re: Root Key Storage

Postby JonahAragon » Thu Feb 16, 2017 12:30 pm

pfo wrote:Rootadmin1 should be among them, I suppose at least one T1 Operator knows OpenSSL good enough to do that job. Perhaps verax, he is active in this thread as well. Since I believe you would take responsibility as the (or: a) Sysadmin, it can not be you, Jonah, but you can select one.


We'll need to decide what route we go down for actually issuing Intermediate Certs, because if we issue ICs to every registry (T1 op) there might not be enough other members to fill the other roles you outlined...

I'd love to get your thoughts on viewtopic.php?f=31&t=1013

pfo
Posts: 11
Joined: Tue Feb 07, 2017 10:03 pm

Re: Root Key Storage

Postby pfo » Thu Feb 16, 2017 11:34 pm

As far as I know, every registry holder also has to be a T1 op, but it also every T1 op is a registry holder, than the Rootadmins and the Key holders cannot be T1 operators. What about T2 operators? I'm sure there are some loyal, stable community members among them as well.

Like I said, I would also be willing to take a role, but since I am quite new, I understand if there is a lack of trust (although I have recently set up a T2 server and submitted it to the server list (awaiting admin approval), but that is kind of off topic).

JonahAragon
T1 Operator
Posts: 27
Joined: Mon Dec 05, 2016 4:22 pm
Location: Minnesota
Contact:

Re: Root Key Storage

Postby JonahAragon » Thu Feb 16, 2017 11:51 pm

pfo wrote:As far as I know, every registry holder also has to be a T1 op, but it also every T1 op is a registry holder, than the Rootadmins and the Key holders cannot be T1 operators. What about T2 operators? I'm sure there are some loyal, stable community members among them as well.


And this is the main problem I have with your plan in particular. Tier 1 ops are going to be the most stable and trusted members of the community, and they should be the rootadmins and key holders, in theory. I don't think we should be as quick to exclude them from such roles, even if it means sysadmins/IC holders are simultaneously key holders. Security wise it doesn't seem to be much of an added risk, from the looks of it.

I'm not sure about any of the people that run Tier 2 servers, I don't seem to speak with as many of them on IRC or otherwise.

(Also there are 10 Tier 1 operators at the moment)

pfo
Posts: 11
Joined: Tue Feb 07, 2017 10:03 pm

Re: Root Key Storage

Postby pfo » Fri Feb 17, 2017 12:01 am

T2 operators have to submit their contact information when registering their server, I suppose you as a T1 op can access that information. Perhaps you can email them and ask them if they would be willing to take a role.

Sure, T1 ops could receive even more trust than now, however, security should only be weakened if it is absolutely necessary, which it is not currently.

verax
Site Admin
Posts: 30
Joined: Mon Jan 18, 2016 3:16 am

Re: Root Key Storage

Postby verax » Tue Feb 28, 2017 4:27 am

Regarding the PGP keys, that's a nice idea. Use an RP record with the operator's email and his key in the associated TXT record.
I'm personally onboard with this idea with 2 small caveats:
1) We should bash it around some more, until we have a complete plan and maybe some of the infrastructure in place _before_ getting the ball rolling.
2) I'm kind of busy lately and can't really make commitments to and real volume of work

As far as who actually gets to hold the keys, I don't know. We just need reliable and trustworthy people, and make sure that the number in any one country is less than the unlock number. TLD operators just need intermediate certs and a transparency list.


Return to “Encryption”

Who is online

Users browsing this forum: No registered users and 0 guests