> > Multiple perspectives is useful when relying on any insecure third-party > resource; for example DNS or Whois. > > This is different than requiring multiple validations of different types; > an attacker that is able to manipulate the DNS validation at the IP layer > is also likely going to be able to do the same for HTTP and Whois. >
To Mr. Buschart's point, combining DNSSEC with an enhancement to CAA in which the CAA responses can cause an opt-in limit to acceptable validation methods, a scheme combining those elements would be the first mechanism for a domain holder to ensure that CA issuance authorization (in the domain validation scope) would be able to be, upon the domain holder's initiative, locked to a mechanism that provides for cryptographic assertions from the root zone down. With the right combination of DNSSEC validation, CAA records as utilized today, and an enhancement to CAA for locking down to particular validation methodologies, domain holders can be handed a strong tool to prevent the sorts of issuance to bad actors who can utilize a BGP hijack today to meet the validation needs. There's an extension to CAA in this spirit described here (this one is specific to ACME methods): https://tools.ietf.org/html/draft-ietf-acme-caa-03 To my knowledge, no one is implementing this as yet, but I'd love to see it happen. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy