opennic:tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
Next revisionBoth sides next revision
opennic:tls [2020-05-29T11:07:04Z] – created deep42thoughtopennic:tls [2020-06-03T08:42:45Z] – [Planned deployment] deep42thought
Line 3: Line 3:
 ===== Current deployment ===== ===== Current deployment =====
  
-There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC (and currently also all ICANN and all peered) top level domains.+There is an experimental acme server in place at [[https://playground.acme.libre]] to automatically obtain TLS certificates for servers under all OpenNIC top level domains (Restricted by [[https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only|Name Constraints]]).
 The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]]. The trust anchor for these certificates can be downloaded [[https://playground.acme.libre/opennic_root_ca.crt|here]].
  
Line 11: Line 11:
  
 ===== Planned deployment ===== ===== Planned deployment =====
 +
 +The trust chain could look as follows:
  
   - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS   - root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS
-  - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by (a) - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine. +  - intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine. 
-  - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by (b). Private key for (b) lives on ACME server.+  - client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by 2. Private key for lives on ACME server.
  
 +The following things might be desirable, too:
 +  - Distribute the Root CA key amongst multiple persons: either share copies, have multiple such keys, or have [[https://tools.ietf.org/html/draft-hallambaker-threshold-sigs-02|some Shamir-like secret sharing]] in place
 +  - Deploy multiple intermediate CAs / ACME-server "parallely"
  • /wiki/data/pages/opennic/tls.txt
  • Last modified: 3 years ago
  • by marek