In the wake of the recent Comodo fraud incident, there has been a great deal of speculation about how to improve the public key infrastructure, on which the security of the Internet rests. Given the current interest, Google today shared about two projects in which Google is engaged:
The first is the “Google Certificate Catalog,” a database of all of certificates (that Google’s web crawlers when scanning the web collects), published in DNS. So, for e.g., if you wanted to see what we think of https://www.google.com/’s certificate, you could do this:
“In other words: take the SHA-1 hash of the certificate, represent it as a hexadecimal number, then look up a TXT record with that name in the certs.googlednstest.com domain. What you get back is a set of three numbers. The first number is the day that Google’s crawlers first saw that certificate, the second is the most recent day, and the third is the number of days we saw it in between,” explains Google.
And, the second initiative is the DANE (DNS-based Authentication of Named Entities) Working Group at the IETF. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which’re valid, or CAs that’re allowed to sign certificates for those hosts.
It’ll be some time before DNSSEC is deployed widely enough for DANE to be broadly useful, since DANE requires every domain to be able to use DNSSEC.