Example of Letsencrypt handling #6
Labels
Comments
amiller
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are a few ways of automating domain handling from within an enclave.
The private key used to generate the certificate signing request is generated from within the enclave.
The owner of the DNS record isn't proactively prevented from issuing a non-TEE domain, but because certificate transparency provides a list of every issued certificate, we can show a remote attestation to explain every certificate that has been issued.
Another improvement is a DNS feature called CAA, https://letsencrypt.org/docs/caa/ which limits the CAs that are authorized to issue certificates for a domain. This significantly reduces the potential for rogue CAs to create MITM attacks - only letsencrypt could do that. This is what is implemented here https://docs.phala.network/dstack/design-documents/tee-controlled-domain-certificates
Encumbered DNS: a final step (still to research) would be to encumber the account with the registrar that owns the account. In this way, a smart contract would practically control the DNS records.
The text was updated successfully, but these errors were encountered: