On Tuesday, 19 September 2017 14:02:36 UTC+1, Gervase Markham wrote: > I'd be interested in your engagement on my brief threat modelling; it > seems to me that DNSSEC only adds value in the scenario where an > attacker has some control of CA Foo's issuance process, but not enough > to override the CAA check internally, but it also has enough control of > the network (either at the target, or at the CA) to spoof DNS responses > to defeat CAA. That seems on the surface like a rare scenario.
The latter part sounds correct. The first part is definitely inaccurate. An attacker only has to _prefer_ one particular CA for any reason, it needn't be that they can control issuance. Off the top of my head reasons to prefer a particular CA for an attack _despite_ no control over issuance might include: * This CA offers a particular validation method we can exploit. For example they accept Domain Authorization Documents and we are expert forgers, we anticipate our documents will be entirely convincing but of course we can't submit them to a CA which doesn't offer this method. Or, we have a trick where we can intercept email for a domain unnoticed, but we cannot use this to validate with a CA which doesn't offer email validation. * This CA is known not to treat our target as "High Value" while others do. If we try another CA they will flag the application for scrutiny and a human may spot that it is suspicious and notify the target. * This CA doesn't CT log, or does so only belatedly, buying us more time before an alert target will realise what we're doing compared to a CA which logs all issuances immediately. * This CA is notoriously slow to react to problem reports, again buying us more time to use the certificate before they revoke it and admit what happened compared to a CA which is proactive and would engage immediately. * This CA's audit logging is poor, so that when our attack succeeds the police and other investigators will find the trail of evidence is inadequate and it's difficult to track the attackers down and prosecute them. A better CA might give investigators a hot trail and lead to us being caught. * This CA is located in a jurisdiction that's especially inconvenient for the target. The target's usual CA probably speaks their language, operates in a similar timezone, maybe has extradition treaties and mutual co-operation rules that will help if there's a crime, but we can choose one that's as difficult as possible. * This CA is trusted by a particular application or device beyond the scope of the Web PKI so that we can leverage an attack on Web PKI assets to actually break something far more important, payment gateways, life support, whatever. Other CAs are useless for this type of attack because there is no reason for them to be trusted in these other applications. CAA isn't a magic "fix" for any of these, but it follows the principle of least privilege. Why let every CA in the world issue for example.com if we, as example.com, are confident we only want to use Honest Achmed? If we change our minds (perhaps after Achmed's dubious personnel structures are revealed) we can just update the CAA record, no trouble. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
