Example of Letsencrypt handling

[amiller]

There are a few ways of automating domain handling from within an enclave.

• 1. A starting point is the approach taken in teleport "trust but verify"...

  The private key used to generate the certificate signing request is generated from within the enclave.

The owner of the DNS record isn't proactively prevented from issuing a non-TEE domain, but because certificate transparency provides a list of every issued certificate, we can show a remote attestation to explain every certificate that has been issued.

• 2. Another improvement is a DNS feature called CAA, https://letsencrypt.org/docs/caa/ which limits the CAs that are authorized to issue certificates for a domain. This significantly reduces the potential for rogue CAs to create MITM attacks - only letsencrypt could do that. This is what is implemented here https://docs.phala.network/dstack/design-documents/tee-controlled-domain-certificates

• 3. Encumbered DNS: a final step (still to research) would be to encumber the account with the registrar that owns the account. In this way, a smart contract would practically control the DNS records.

[h4x3rotab]

Dup of #18?

[amiller]

Dup of #18?

I think the linked issue covers step 1 and 2 of the trust model in this issue. I'll leave this up until the 3. "encumbrance" step is complete as well. Right now even if the best practices 1 2 so far are followed, the owner of the cloudflare account can still takeover and redirect the domain.