[cabfpub] Localized CAs (was: Food for Thought)

Brian Trzupek BTrzupek at trustwave.com
Thu Aug 30 08:06:31 MST 2012 

So, a pretty common use case for us is a customer buys a SAN certificate and adds several ccTLDs/gTLDs for their company like so:

www.company.com
company.com
www.company.co.uk
www.company.de
www.company.es
www.company.hk
www.company.net
etc..

How would this jive with what you are proposing such that we could continue to serve customers in this manner?

Thanks,
Brian

On Aug 29, 2012, at 4:12 PM, "Hill, Brad" <bhill at paypal-inc.com> wrote:

>> From: Chris Palmer [mailto:palmer at google.com]
>> Would it as well as or better than name constraints? It seems harder to get
>> right than name constraints.
>
>> -----Original Message-----
>> From: Phillip [mailto:philliph at comodo.com]
>> The real test is whether a control can reduce an acceptably large percentage
>> of negative outcomes without an unacceptable rate of false reports.
>>
>
> [Hill, Brad] I'm thinking something like an external set of annotations for root or intermediate CA certificates.  CAs would voluntarily opt-in to setting the regions or language communities in which they do business.  As an external set of annotations, they could choose to change that in a much more lightweight fashion than updating the root cert itself.
>
> How effective it is depends on how many would choose to opt-in.  Would any?  I don't know.  I know of plenty of US businesses who do things like blackhole all IP addresses in China or Russia because they have no customers there, only attackers.
>
> Name constraints are just not going to happen outside of an enterprise context because there is no real mapping between TLDs and customer communities.  Even outside the realm of the gTLDs, look at the wide use of "vanity" ccTLDs like ".ly" or ".tv".
>
> If 25% of CAs opted-in, that would be perhaps a 99% reduction in their value as a target, and a 25% reduction for everyone outside their customer/RP community in the single-point-of-failure attack surface.  That's pretty good, if you ask me.
>
> If these annotations were of a standard format and user-modifiable, it would also provide an easy platform for supporting additional trust lists, whether provided by your IT department, the EU, or an independent organization like the Tor Project.
>
> Shades of Convergence / Omnibroker, but with defaults opted-in to by the CAs themselves that give some immediate benefit to even non-technical users who won't customize their trust list.
>
> This system could also let us deal with cases where national audit / accreditation schemes and auditors are found to be inadequate: CAs audited by such bodies, rather than to an international standard, might be restricted to only that language community; thus reducing risks to the global Internet without interfering in local sovereignty.
>
> -Brad
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list