[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Bruce Morton Bruce.Morton at entrustdatacard.com
Mon Apr 10 14:49:42 UTC 2017


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling via Public
Sent: Monday, April 10, 2017 10:36 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Rob Stradling <rob.stradling at comodo.com>
Subject: Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist

On 10/04/17 12:57, Eric Mill via Public wrote:
> To try and sum up what I think Ryan is saying, CAs could use HPKP to 
> achieve the same effect as an "EV-Only" pin if CAs each publicly 
> published and maintained the hash of their public keys that correspond 
> to EV-only issuing CAs, for customers to rely on.

Not all CAs have chosen to use separate intermediate(s) to issue only EV certs.

e.g., https://crt.sh/?Identity=%25&iCAID=904

> Then a customer who doesn't wish to pin to a small set of CAs or end 
> entity certs, out of fear of bricking themselves, could construct an 
> "EV-only" set of pins that encompassed all publicly trusted EV-issuing 
> CAs. The technical risks would be similar than a hypothetical "EV-only"
> pinning standard, and require no further effort on the part of browsers.
> The primary issue for server operators is that that server operators 
> would need to keep their pins up to date as the set of EV-only issuing 
> CAs change, but I would think that that rate of change might be 
> manageable, and even a fairly out-of-date set of pins would still 
> leave ample breathing room to migrate CAs if an issue occurs.
> The primary issue for CAs is that you'd really want to coordinate to 
> put these in one place, and maintain an authoritative "EV-only" set of 
> pins for server operators to refer to. It wouldn't be reasonable to 
> ask interested server operators to hunt it all down and construct the 
> pins themselves, and wouldn't be effective -- people would make 
> mistakes and then blame the CAs.

Whereas adding an "EV only" option to HSTS would...

1) avoid the need to coordinate and maintain a list of "EV only" pins.

2) avoid the need for site operators to update their local copies of the list of "EV only" pins.

3) work even in the case of a CA that hasn't chosen to use "EV only" 


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Public mailing list
Public at cabforum.org

More information about the Public mailing list