Gerv, one other point to consider is that many CAs already have hard stops that 
can't be easily overridden for the highest value names you listed ("Google or 
Yahoo or Microsoft" - or Mozilla), so a hard stop with CAA would never even be 
reached via automated requests for those domains.  So many CA systems would not 
benefit all that much with CAA for those types of high value domains - they are 
already thrown into extra manual scrutiny.

-----Original Message-----
From: Public [] On Behalf Of Gervase Markham 
via Public
Sent: Monday, October 17, 2016 5:21 AM
To: Eric Mill <>
Subject: Re: [cabfpub] Continuing the discussion on CAA

On 15/10/16 22:49, Eric Mill wrote:
> a clear threat model. It seems to me that CAA is valuable if it 
> provides meaningful technical controls that restrict issuance from the 
> vast majority of CAs with whom an organization will have no business 
> relationship.

If for "vast majority", you read "all", then I agree. But my point is, "what is 
a technical control"? Something a human can override by checking a checkbox is 
not a technical control, it's a policy control (CA policy, not domain owner 

We have had various instances in the past (Comodogate, DigiNotar) where hackers 
have gained control of the ability to issue certificates with varying 
parameters, but have not gained the ability to override the logic built into 
the CA's issuance code. And it is in precisely situations such as this that the 
Web PKI is at greatest risk, because the attacker can (and did) issue 
certificates at will for major sites. I know of no other way to implement a 
technical control preventing this (assuming the CA doesn't simply want to 
hard-code a list of important domains they will never issue for, which might be 
the right thing for e.g. government CAs or academic CAs) except for a 
non-overrideable CAA check.

If I were a CA, not only would I have such a check, but I'd tie it to a DEFCON 
1 alert alarm if triggered. Because the first thing any cocky attacker is going 
to try once they've broken in is issuing a cert for Google or Yahoo or 

Having said that, Bruce makes some reasonable points about enterprise customers 
issuing from e.g. name-constrained sub-CAs. I need to study his message more 
carefully. So we should talk more this week about where we can draw some clear 
lines that provide this protection while exempting situations where the damage 
of misissuance is limited.

Public mailing list
Public mailing list

Reply via email to