Gerv, one other point to consider is that many CAs already have hard stops that
can't be easily overridden for the highest value names you listed ("Google or
Yahoo or Microsoft" - or Mozilla), so a hard stop with CAA would never even be
reached via automated requests for those domains. So many CA systems would not
benefit all that much with CAA for those types of high value domains - they are
already thrown into extra manual scrutiny.
-----Original Message-----
From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Gervase Markham
via Public
Sent: Monday, October 17, 2016 5:21 AM
To: Eric Mill <eric.m...@gsa.gov>
Cc: public@cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On 15/10/16 22:49, Eric Mill wrote:
> a clear threat model. It seems to me that CAA is valuable if it
> provides meaningful technical controls that restrict issuance from the
> vast majority of CAs with whom an organization will have no business
> relationship.
If for "vast majority", you read "all", then I agree. But my point is, "what is
a technical control"? Something a human can override by checking a checkbox is
not a technical control, it's a policy control (CA policy, not domain owner
policy).
We have had various instances in the past (Comodogate, DigiNotar) where hackers
have gained control of the ability to issue certificates with varying
parameters, but have not gained the ability to override the logic built into
the CA's issuance code. And it is in precisely situations such as this that the
Web PKI is at greatest risk, because the attacker can (and did) issue
certificates at will for major sites. I know of no other way to implement a
technical control preventing this (assuming the CA doesn't simply want to
hard-code a list of important domains they will never issue for, which might be
the right thing for e.g. government CAs or academic CAs) except for a
non-overrideable CAA check.
If I were a CA, not only would I have such a check, but I'd tie it to a DEFCON
1 alert alarm if triggered. Because the first thing any cocky attacker is going
to try once they've broken in is issuing a cert for Google or Yahoo or
Microsoft.
Having said that, Bruce makes some reasonable points about enterprise customers
issuing from e.g. name-constrained sub-CAs. I need to study his message more
carefully. So we should talk more this week about where we can draw some clear
lines that provide this protection while exempting situations where the damage
of misissuance is limited.
Gerv
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
