On Mon, Feb 21, 2022 at 06:03:43PM +0100, Matthias van de Meent wrote: > On Mon, Feb 21, 2022 at 5:09 PM Ryan Sleevi <[email protected]> wrote: > > On Mon, Feb 21, 2022 at 8:25 AM Michel Le Bihan > > <[email protected]> wrote: > >> I know that this has been discussed several years ago, but I didn't see > >> any definitive final conclusion. In regards to the recent incident > >> https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600 > >> that involved the malicious actor reacquiring a valid TLS certificate, I > >> think that it might be worth to restart the discussion. > >> > >> I know that the recommended solution is RPKI, but should there be other > >> solutions that would mitigate this issue when RPKI is not deployed? > >> > >> Some possible solutions: > >> 1. Allow restricting validation methods in CAA records > >> 2. Require CAs to have multiple vantage points > >> 3. Not issue certificates shortly after suspicious BGP events > > > > I’m not sure I see how 1 addresses this risk by itself. Are you thinking > > about this in isolation, or combined with some other mitigations (like RPKI > > and DNSSEC)? And, if combining, do we really need 1 to bind the method, > > versus something like account binding? > > Account binding might not be available for certain CAs.
Then don't use those certain CAs, and restrict those CAs from issuing for your domain by not including them the domain's CAA records. > I would like it if > e.g. CAA would also allow for restricting validation methods: RFC8657 defines the `validationmethods` parameter to the `issue` and `issuewild` CAA properties. Again, if a given CA doesn't support those parameters, you can avoid the problem by not including that CA in your CAA records. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220222013029.GF8187%40hezmatt.org.
