> On 2 Dec 2022, at 17:43, Kurt Seifried <[email protected]> wrote:
>
> I read it briefly but it seems to me like there's a significant failure/abuse
> scenario:
>
> ISP controls an IP block that it portions out to customers. ISP has a web
> server and puts in the IP/IPv6 CAA records.
>
> Customers that use delegated IP space from the ISP can now only use those
> CAAs as well if they want to use this standard, correct?
>
> If this is correct, and I was a CA and read this I'd be building a PowerPoint
> deck for my sales team on how ISP's can partner with us to get a 20-50%
> commission on sales of certificates by doing this one simple thing…
Hello Kurt,
Thanks for the feedback!
If an ISP would like to add a CAA record for just their web server, they would
add it only for that IP Address, and other addresses would not be affected.
If they add a CAA record for their entire IP range, e.g. assuming they have
10.10.0.0/16 they add it on 10.10.in-addr.arpa, then clients can override this
CAA record if they have a delegation for e.g. 10.10.10.in-addr.arpa or their
ISP allows them to set CAA records the same way they set PTR records.
The same risk applies to regular CAA records and TLDs (CAA in com) or shared
domains (CAA in no-ip.org). If the end user has a delegation, or the ability to
update DNS records, they can override the ones set higher in the hierarchy. If
not, then CAA will limit issuance and this becomes a human problem, not a
computer problem.
Maybe it is due to ICANN’s rules, but I am not aware of this happening.
In both cases, the entity that controls the hierarchically higher resource (be
it a domain or an IP Address), can always perform a Denial of Service against
its own customers if it really wants to: just write a cron job that fetches all
CT certificates of the past hour, finds all instances of its domain / IP
Address range, and submits Certificate Problem Reports to the issuing CA.
Probably after some time, no CA would like to deal with this and denylist this
resource.
In my view, this takes an entity going against their customers for arguably no
real / significant gain, and if we assume that this is the case, then worse
things could happen.
Overall, this remains a risk, always, but I don’t personally view it as
something significant enough to prevent progress and gain the benefits of CAA.
Perhaps I am underestimating this, so I’d be happy to hear more if you still
believe that it is a big problem.
Thank you,
Antonis
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1A2BAADC-E403-40A3-8D3B-2A20F82BED6B%40gmail.com.
