Hi Richard. This pdf has some more details on Comodo's other domain
validation methods...
https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf
On 20/12/14 00:25, Richard Barnes wrote:
Hey Tony,
I just got around to thinking about this for a moment. Obviously, our
baseline here should be whatever the CAs are doing today, since we have
empirical evidence that those methods are more or less OK. I did a
quick and dirty empirical survey of the top few CAs this afternoon:
https://docs.google.com/a/ipv.sx/document/d/1KVKIS6abA2KL-yHvFsMql6U3qUjVhgO6p19Hzci0vQo/edit?usp=sharing
For the most part, they rely on sending an email to either the
registered WHOIS contact, or something like admin@domain. GlobalSign
supports validation based on a DNS record or a <meta> tag in index.html.
With regard to your concern about services colocated on the same IP
(presumably for simpleHttps and DVSNI validation): This seems to mostly
be addressed by not allowing the ACME client to specify the port that
the ACME server connects to. That means that the attacker has to
control not only something on the box, but the default port for HTTP or
HTTPS. If that's not the case, normal routing based on the Host header
or SNI should ensure that the validation request goes to the right place.
Nonetheless, I agree that more analysis would be useful, across all the
validation methods.
--Richard
On Mon, Dec 1, 2014 at 7:33 PM, Tony Arcieri <[email protected]
<mailto:[email protected]>> wrote:
Is there a published threat model for claiming domains? I haven't
been able to find it, but I'd certainly like to read it!
If we simply accept a service running on the same IP that a given
DNS name points to, there seems ample opportunity to register
certificates for services colocated on the same IP.
--
Tony Arcieri
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
