[cabfpub] Revised document for Ballot 89 - Adopt Requirements for the Processing of EV SSL Certificates v.2
Chris Palmer
palmer at google.com
Fri Oct 12 22:35:45 UTC 2012
On Fri, Oct 12, 2012 at 2:56 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> the entire Forum may want to debate. IMO, we (at least the CAs) should be
> united in discouraging the use of DANE options that disable PKIX chain
> validation. If browsers add DANE support for option 3 (no PKIX chain
> validation), then a phisher could set up a fake site with a self-signed
> cert, and users visiting it would receive no warning whatsoever.
I don't see self-signed certificates + DANE as being *especially*
dangerous in this way; wouldn't any attacker who could get their bad
cert authenticated in DNSSEC also get a bad cert through DV?
I think (but am not sure) that in a Certificate Transparency world, a
phisher abusing DANE would still have to either submit their fake cert
in the CT log (and risk detection), or their attack would not work —
just like an attacker trying to abuse DV would have to.
> What are Google’s plans for DANE support in Chrome? I suppose it will be
> dependent on platform support, since Chrome relies on the OS for crypto and
> PKI.
Well, Adam implemented DNSSEC-*stapled* certificates:
http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
But as far as I know, we don't have any live plans to implement DANE.
More information about the Public
mailing list