The problem is that the attackers get to choose the CA they use, so multi-perspective validation doesn't provide any benefits unless everyone has to do it.
I brought it up several times at the validation working group and as a discussion topic at the Shanghai face to face, but unfortunately there doesn't seem to be much enthusiasm for requiring it. -Tim > -----Original Message----- > From: dev-security-policy <[email protected]> On > Behalf Of Rob Stradling via dev-security-policy > Sent: Tuesday, December 18, 2018 7:42 AM > To: Wayne Thayer <[email protected]> > Cc: Ryan Sleevi <[email protected]>; [email protected]; mozilla-dev-security- > policy <[email protected]> > Subject: Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable > > On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > <snip> > > I think it;s worth calling out that Let's Encrypt has implemented what > > appears to be a relatively simple mitigation: > > https://community.letsencrypt.org/t/edns-buffer-size-changing-to-512-b > > ytes/77945 > > Sectigo implemented this same mitigation about a month ago. > > > I am also interested to know if other CAs are considering this or > > other mitigations (e.g. multi-perspective validation) for this attack. > > Multi-perspective validation is something we've started to think about too. > > -- > Rob Stradling > Senior Research & Development Scientist > Sectigo Limited > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
