Re: CAA reporting support and tests?

2017-09-28 Thread Gervase Markham via dev-security-policy
On 26/09/17 00:03, Andrew wrote:
> is that the reports should only be sent in a situation where a
> certificate _would_ have been issued if not for the CAA records.

I'd say that's right. I'd think that by far the more common use case
would be internal policy enforcement at a company rather than detecting
a 3rd party attacker. And given that it's often just "send an email",
one hopes the iodef might not be too onerous for CAs to implement. I
believe we scoped it down to only having to support http: and mailto:.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: CAA reporting support and tests?

2017-09-25 Thread Matthew Hardeman via dev-security-policy
Has there been any serious discussion of the potential benefit of CAA reporting 
for certificate issuance attempts?

I'm aware of what the spec says and the SHOULD language, etc...

I'm not a CA and don't represent one.

I do, however, think that it's easier to get buy-in for changes to CA 
infrastructure when there is a strong showing for cost/benefit relationship.

In a post-CT world, issuances which occur will be easily detected quite 
promptly.

I am unsure of the value of a report issuing for a failed issuance attempt.  
"Oh, yea, that wasn't me.  Someone's looking to attack."  How does that help?  
One should always assume that one is under attack.  Perhaps it allows you to 
identify an internal party attempting to get a certificate issued and allows 
you to work with that party to correctly get a certificate issued, but wouldn't 
that legitimate inside party have reached out internally anyway when they 
encountered a problem?

I'm just not sure I understand the point of the reporting in terms of deriving 
real security value.

I think it behooves the community, in selecting items to advance for mandatory 
compliance within the CA space, to choose the requirements imposed carefully 
and with a view to deriving real objective security value.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


CAA reporting support and tests?

2017-09-25 Thread Hanno Böck via dev-security-policy
Hi,

I was wondering how a CAA reporting endpoint should react and wanted to
test it. However none of the CAs I tested seems to support reporting
yet.

Is anyone aware of a CA that does CAA reporting? (either via mail or
https or both.)
If no reporting on a live CA is in place is at least anyone aware of
any kind of available test that is able to generate CAA reports?

Also I'm wondering if there are any plans to have a requirement for CAA
reporting support in the future. The cabforum ballot [1] says that
reporting "SHOULD" be done.



[1]
https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy