[cabf_validation] Question about MPDV and CAA
Ryan Dickson
ryandickson at google.com
Wed Jun 21 13:18:38 UTC 2023
Hi Pedro,
Thanks for taking the time to review the proposal - and for your question.
Also, sorry for the delayed response - I’ve been out of the office for a
few days.
The researchers at Princeton initially advised us to evaluate both domain
validation challenges and CAA records to add resilience to the issuance
process. Specifically, the goal was to make it more difficult for an
adversary to launch what they described as a “downgrade attack.”
For example, let’s consider a domain owner who used CAA to restrict
issuance to a set of CAs that do not support email-based domain control
validation because they do not want to allow validation of their domain to
occur via email. Also, suppose we aren’t checking CAA from multiple Network
Perspectives. In this case, it’d be easier for an adversary to downgrade
the issuance process because they would only need to launch one successful
attack (the perspective used by the CA to establish the primary
determination) to subvert CAA and allow a CA not included in the set of CAs
permitted to issue a certificate to the domain to do so. In contrast, if
CAA was checked across multiple Network Perspectives, the adversary would
need to launch a global BGP attack to obtain a certificate for the target
domain (harder to accomplish and not always viable by the adversary, for
example, they might only have the means to accomplish a local or regional
attack).
We also see layers of security built on top of CAA, for example, Account
Binding and Validation Method Binding as specified by RFC 8657. These
extensions allow organizations to restrict issuance to specific 1) account
IDs or 2) ACME domain validation methods. Not checking CAA records from
multiple perspectives allows an adversary to more easily downgrade these
additional security measures (based on the same approach described above)
and then target the added attack surface these records were intended to
eliminate.
The “no-issue” CAA record (i.e., CAA 0 issue “;”) is another example where
the CAA record has a significant impact on issuance behavior. If CAA is not
being checked from multiple perspectives, this is another security control
that can be more easily downgraded than if CAA is being checked from
multiple perspectives.
As always, other considerations and perspectives are welcome!
Thanks,
Ryan
On Fri, Jun 16, 2023 at 6:43 AM Pedro FUENTES via Validation <
validation at cabforum.org> wrote:
> Hello,
> Sorry as most likely this has been already discussed, but as I came “late
> to the party”, there are things that I surely missed.
>
> About the need to consider CAA also in the MPDV… I’m thinking about this
> and I fail to see the risk we’re managing by doing it. My rational is that
> MPDV, once verifies the domain ownership/control, would also imply that
> records in the DNS (i.e. CAA) are legit.
>
> The only situation I see where this could apply, is when someone could
> trick a CAA record during the reuse period of a previously validated
> domain, so MPDV could verify proper domain control, but the CAA check that
> must be done for each issuance is faked, but I’d say that faking the CAA
> could have as only logic purpose to enable another CA to issue the
> certificate, and that CA would also need to check the domain control using
> MPDV.
>
> When you decided to include CAA in the game… what was the logic behind?
>
> Most likely there’s a good reason that clever people has discussed
> already, so I’d appreciate if you can help me understand better.
>
> Thanks!
> Pedro
>
>
> *WISeKey SA*
>
> *Pedro Fuentes*CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00 <+41%2022%20594%2030%2000>
> Mobile: + 41 (0) 791 274 790
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
>
> *Stay connected with WISeKey <http://www.wisekey.com>*
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a WISeKey
> identity. If you get a mail from WISeKey please check the signature to
> avoid security risks
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be
> confidential and it’s intended solely for the use of the individual or
> entity to which they are addressed. If you are not the named addressee
> you should not disseminate, distribute or copy this e-mail. If you have
> received this email in error please notify the sender
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of
> this message and does not accept any liability for any errors or
> omissions herein as this message has been transmitted over a public
> network. Internet communications cannot be guaranteed to be secure or
> error-free as information may be intercepted, corrupted, or contain
> viruses. Attachments to this e-mail are checked for viruses; however, we do
> not accept any liability for any damage sustained by viruses and therefore
> you are kindly requested to check for viruses upon receipt.
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230621/543fb849/attachment.html>
More information about the Validation
mailing list