On 15/10/16 22:49, Eric Mill wrote: > a clear threat model. It seems to me that CAA is valuable if it provides > meaningful technical controls that restrict issuance from the vast > majority of CAs with whom an organization will have no business > relationship.
If for "vast majority", you read "all", then I agree. But my point is, "what is a technical control"? Something a human can override by checking a checkbox is not a technical control, it's a policy control (CA policy, not domain owner policy). We have had various instances in the past (Comodogate, DigiNotar) where hackers have gained control of the ability to issue certificates with varying parameters, but have not gained the ability to override the logic built into the CA's issuance code. And it is in precisely situations such as this that the Web PKI is at greatest risk, because the attacker can (and did) issue certificates at will for major sites. I know of no other way to implement a technical control preventing this (assuming the CA doesn't simply want to hard-code a list of important domains they will never issue for, which might be the right thing for e.g. government CAs or academic CAs) except for a non-overrideable CAA check. If I were a CA, not only would I have such a check, but I'd tie it to a DEFCON 1 alert alarm if triggered. Because the first thing any cocky attacker is going to try once they've broken in is issuing a cert for Google or Yahoo or Microsoft. Having said that, Bruce makes some reasonable points about enterprise customers issuing from e.g. name-constrained sub-CAs. I need to study his message more carefully. So we should talk more this week about where we can draw some clear lines that provide this protection while exempting situations where the damage of misissuance is limited. Gerv _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public