On 25/8/2017 9:42 μμ, Ryan Hurst via dev-security-policy wrote:
Dimitris,
I think it is not accurate to characterize this as being outside of the CAs
controls. Several CAs utilize multiple network perspectives and consensus to
mitigate these risks. While this is not a total solution it is fairly effective
if the consensus pool is well thought out.
Ryan
Just to make sure I am not misunderstanding, are you referring to CAs
with real-time access to the Full Internet Routing Table that allows
them to make routing decisions or something completely different? If
it's something different, it would be great if you could provide some
information about how this consensus over network perspectives (between
different CAs) works today. There are services that offer
routing-status like https://stat.ripe.net/widget/routing-status or
https://www.cidr-report.org/as2.0/ but I don't know if they are being
used by CAs to minimize the chance of accepting a hijacked address
prefix (Matt's example).
Dimitris.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
