On 15/10/16 22:49, Eric Mill wrote:
> a clear threat model. It seems to me that CAA is valuable if it provides
> meaningful technical controls that restrict issuance from the vast
> majority of CAs with whom an organization will have no business
> relationship.

If for "vast majority", you read "all", then I agree. But my point is,
"what is a technical control"? Something a human can override by
checking a checkbox is not a technical control, it's a policy control
(CA policy, not domain owner policy).

We have had various instances in the past (Comodogate, DigiNotar) where
hackers have gained control of the ability to issue certificates with
varying parameters, but have not gained the ability to override the
logic built into the CA's issuance code. And it is in precisely
situations such as this that the Web PKI is at greatest risk, because
the attacker can (and did) issue certificates at will for major sites. I
know of no other way to implement a technical control preventing this
(assuming the CA doesn't simply want to hard-code a list of important
domains they will never issue for, which might be the right thing for
e.g. government CAs or academic CAs) except for a non-overrideable CAA

If I were a CA, not only would I have such a check, but I'd tie it to a
DEFCON 1 alert alarm if triggered. Because the first thing any cocky
attacker is going to try once they've broken in is issuing a cert for
Google or Yahoo or Microsoft.

Having said that, Bruce makes some reasonable points about enterprise
customers issuing from e.g. name-constrained sub-CAs. I need to study
his message more carefully. So we should talk more this week about where
we can draw some clear lines that provide this protection while
exempting situations where the damage of misissuance is limited.

Public mailing list

Reply via email to