[cabfpub] [EXTERNAL] Brazilian bank DNS heist
rob.stradling at comodo.com
Mon Apr 10 07:36:02 MST 2017
On 10/04/17 12:57, Eric Mill via Public wrote:
> To try and sum up what I think Ryan is saying, CAs could use HPKP to
> achieve the same effect as an "EV-Only" pin if CAs each publicly
> published and maintained the hash of their public keys that correspond
> to EV-only issuing CAs, for customers to rely on.
Not all CAs have chosen to use separate intermediate(s) to issue only EV
> Then a customer who doesn't wish to pin to a small set of CAs or end
> entity certs, out of fear of bricking themselves, could construct an
> "EV-only" set of pins that encompassed all publicly trusted EV-issuing
> CAs. The technical risks would be similar than a hypothetical "EV-only"
> pinning standard, and require no further effort on the part of browsers.
> The primary issue for server operators is that that server operators
> would need to keep their pins up to date as the set of EV-only issuing
> CAs change, but I would think that that rate of change might be
> manageable, and even a fairly out-of-date set of pins would still leave
> ample breathing room to migrate CAs if an issue occurs.
> The primary issue for CAs is that you'd really want to coordinate to put
> these in one place, and maintain an authoritative "EV-only" set of pins
> for server operators to refer to. It wouldn't be reasonable to ask
> interested server operators to hunt it all down and construct the pins
> themselves, and wouldn't be effective -- people would make mistakes and
> then blame the CAs.
Whereas adding an "EV only" option to HSTS would...
1) avoid the need to coordinate and maintain a list of "EV only" pins.
2) avoid the need for site operators to update their local copies of the
list of "EV only" pins.
3) work even in the case of a CA that hasn't chosen to use "EV only"
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public