[cabfpub] Revisiting CAA

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sat May 3 00:47:44 UTC 2014


Phil -- in no case would a hacker (like in the Diginotar or Comodo cases) bother to observe the CAA limitations posted by the domain owners for the fake certs the hackers got (google, microsoft, etc.).  So I don't think CAA would have stopped mis-issuance in those cases.  (But you are right that in the Microsoft case from 2001, the person doing manual vetting MIGHT have been stopped by a contrary CAA record -- but then again, this vetter didn't follow VeriSign's own vetting rules, so hard to put a lot of confidence in a CAA search in that case.)

Gerv is right that a cert issuing system that did an automatic CAA lookup and created a hard stop for a contrary record is the only way that CAA might have prevented Diginotar -- but then again, wouldn't the hacker have tried to go around the CAA checking as part of the hacking?

-----Original Message-----
From: Phillip Hallam-Baker [mailto:philliph at comodo.com] 
Sent: Friday, May 02, 2014 10:49 AM
To: Kirk Hall (RD-US); Gervase Markham; Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

That is a rather strange test to apply given that we have so few cases of misissue reported.

It would have done nothing in the 2001 VeriSign incident because VeriSign was authorized to issue for Microsoft. At the time I first proposed CAA, that was the only public incident.

Apart from that, deployment of CAA would have forced manual processing of requests in the Comodo and DigiNotar incidents if it had been deployed. So the answer to your question would be 'almost all'.

But given the low incidence of mis-issue, I would instead ask if CAA addresses any of the criticisms that has ben raised against the WebPKI. It very clearly addresses the 'too many CAs' complaint.


I don't believe in reactive security. I try to fix problems before they occur.

-----Original Message----- 
From: kirk_hall at trendmicro.com
Sent: Friday, May 02, 2014 11:40 AM
To: Gervase Markham ; Rick Andrews ; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

Can anyone identify one case -- even one -- of mis-issuance of a certificate by a CA that would have been prevented by CAA?  (I 
can't think of one.)

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Friday, May 02, 2014 2:07 AM
To: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

On 01/05/14 23:26, Rick Andrews wrote:
> I’m attaching Phillip’s original proposal for CAA and Jeremy’s
> suggestion for enhancement. Here’s my proposal.

I think the proposal is good, although the scare quotes around "procedure" are unnecessarily perjorative. If our plan is not to 
mandate that CAs explicitly honour CAA, then we should not seem to sneer at those who don't. So we should remove the words 
"(although not desirable)" too. Let's not try and have it both ways.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public 


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>


More information about the Public mailing list