Issuance authority and DNS delegation

Theoretical question: Should the entity owning your TLD be able to get certs for your domain? If not, why not? They control it, so they own your domain. Why do you assume that every level below every domain is under the clear-cut authority of a single entity?

If you delegate a subdomain away, you are no longer the authority of it. You don’t control its contents. You delegated that. Only by forcefully violating that authority can you control what happens in that subdomain.

Bad analogy time: A landlord owns the house. If he rents out rooms, he is no longer allowed to enter without permission.

You need to understand the difference between ownership and authority.

It is a theoretical question - and its also not how DNS works.

You make the choice to delegate a subdomain of your domain to someone else. That’s fine. Its your choice as the domain owner.

The subdomain can’t issue a cert for the root (that shouldn’t be allowed) - so its still not an issue.

In the eyes of the domain registrar (and just about everyone else), the root domain owner is the owner of all subdomains. You can’t honestly say user X would own the domain / rights for, say,, right?

Ownership != authority.

I say if user X has authority over, the owner of shouldn’t be able to get a cert for

If you as the domain owner… Your policy decisions should not dictate this as a policy for everyone.

This has always been a weak argument. Its why domains are so cheap. If this is a problem for you, use a different domain…

If your proposal gets implemented, it’s in effect for everyone, with every unknown consequence that you didn’t foresee, because you just care about your case and no one else.

1 Like

This has been an interesting read. :thinking:
No names, no fingers, and no flames (though I expect to see some soon.) Just a few quick thoughts now, while I digest and ruminate on the fodder here.

  • Don’t confuse LE with the clients - I did at first myself until I read (and learned) more.
  • Ownership != authority_and_ authority != access and renting != owning
  • Metaphors generalize, examples illustrate, both useful but different.
  • Who “owns” what on the internet, and what responsibilities come with authority?
  • Who “controls” what on the internet?
  • If hacker_user gets, somehow, a cert for, but can’t install the cert on the server, does it matter (theoretically or practically)?
  • If Makmonitor (registrar for Google), or VeriSign Global Registry Services (.com registry operator) gets a cert for, but can’t install the cert on the server, does it matter (theoretically or practically)?
  • There is no way to defend against, or attack, innuendo; there is, similarly, no way to topple Truth, once found. So why try either?
  • Does a cert mean “authority,” “ownership,” or “control,” or a combination?

Yes, it clearly does matter! The whole idea of a SSL certificate is to protect against the situation where a (network) attacker can somehow modify the data flowing between the client and the server. If an attacker cannot do that, the certificate isn't helping anyways; if the attacker can do that, the mis-issued certificate allows him to MITM the connection.


The problem is, the way the SSL CA construct is, it is a futile effort. One of several hundred CA certificates can generate a trusted cert for any domain on the planet. The entire idea of a CA authority boils down to the weakest link - and it happens time and time again.

Apart from wireless connections, MITM is kinda hard - but not impossible. When you get into the main backbones, it is normally a state sponsored actor - and I wouldn’t be surprised if they have control over several trusted CA certs to make their own certs anyway.

SSL is not a complete solution, but its orders of magnitude better than plain text - which is pretty much the alternative.

The real trick is to take the CA’s out of the business without completely breaking the system - which I’m not sure is even possible.

1 Like

@CRCinAU, the system is making some progress with Certificate Transparency, which Chrome is eventually going to require for all publicly-trusted certificates, so certificates will not be accepted at all unless they’ve been publicly disclosed. In that case there’s a quicker path for identifying CAs that misissue and looking into why they’ve done so and how to stop them from doing so again.


@schoen - I 100% agree that we’re making progress. A little annoying that the system has been broken for so long - but its fantastic to see this work ongoing.

It’s essentially an audit of every known trusted CA that exists. That in itself is a mammoth task - but one that is of utmost importance to allow validated SSL to gain some level of trust again.

1 Like

public suffix, so no.
but technically they could take your authority away for a while for whatever reason, get the cert and give the authority back.

only with the difference that it's still githubs servers and they could just get the cert with DNS Validation and stuff because you only may upload some files to it but you dont get authority over the domain itself.

imo yes because if he can MITM people with his own server it might be not funny.

yeah that would help, at least if the domain owners keep track of the certs (or let someone else do it).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.