[cabfpub] Revised document for Ballot 89 - Adopt Requirements for the Processing of EV SSL Certificates v.2
Ben Laurie
benl at google.com
Tue Oct 16 10:04:22 UTC 2012
On 12 October 2012 23:35, Chris Palmer <palmer at google.com> wrote:
> On Fri, Oct 12, 2012 at 2:56 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
>
>> the entire Forum may want to debate. IMO, we (at least the CAs) should be
>> united in discouraging the use of DANE options that disable PKIX chain
>> validation. If browsers add DANE support for option 3 (no PKIX chain
>> validation), then a phisher could set up a fake site with a self-signed
>> cert, and users visiting it would receive no warning whatsoever.
>
> I don't see self-signed certificates + DANE as being *especially*
> dangerous in this way; wouldn't any attacker who could get their bad
> cert authenticated in DNSSEC also get a bad cert through DV?
>
> I think (but am not sure) that in a Certificate Transparency world, a
> phisher abusing DANE would still have to either submit their fake cert
> in the CT log (and risk detection), or their attack would not work —
> just like an attacker trying to abuse DV would have to.
You are correct.
>> What are Google’s plans for DANE support in Chrome? I suppose it will be
>> dependent on platform support, since Chrome relies on the OS for crypto and
>> PKI.
>
> Well, Adam implemented DNSSEC-*stapled* certificates:
>
> http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
>
> But as far as I know, we don't have any live plans to implement DANE.
Presumably we could implement TLSA stapling fairly easily.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list