[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Ryan Sleevi sleevi at google.com
Mon Apr 10 14:51:50 UTC 2017

On Mon, Apr 10, 2017 at 10:36 AM, Rob Stradling via Public <
public at cabforum.org> wrote:

> Not all CAs have chosen to use separate intermediate(s) to issue only EV
> certs.
> e.g., https://crt.sh/?Identity=%25&iCAID=904

I didn't say they have - I said they should.

Any CA who isn't using a distinct EV intermediate can, in the future, do so
for new certifictes, w/o any issue. That's not a hard blocker.

> Whereas adding an "EV only" option to HSTS would...
> 1) avoid the need to coordinate and maintain a list of "EV only" pins.

That's not correct. It just outsources the problem back to the user and the
browsers - any site operator would need to know what constitutes as "EV
only". For example, if browsers don't all update their EV list on the exact
same day (and they don't), then you end up in a situation where Browser A
recognizes a site as EV-only and Browser B does not. The implications of
this are that the site would break in Browser B (if the pin was noted).

> 2) avoid the need for site operators to update their local copies of the
> list of "EV only" pins.

It doesn't. A site operator would constantly have to be checking what sets
of CAs the browser noted were for EV only, to make sure their CA was
providing that.

It's riskier for browsers to do so, because now there's zero relationship
with the customer (the site operator) and with the CA (to make sure their
PKI hierarchy is sane). As plenty of CAs in the Forum can attest to, they
have been bitten where cross-signs of their intermediates lead to incorrect
recognition of EV status. Or browser bugs related to certificate policies.

This instead promotes a direct relationship between the customer and the
CA, which is the only relationship for which a reliable means of
communication exists (quite literally, in the case of EV!)

> 3) work even in the case of a CA that hasn't chosen to use "EV only"
> intermediate(s).

Sounds like you're saying CAs are incapable of change? ;)

More pragmatically, nothing about the proposed solution is blocked on any
new development, other than the CA needing to do something if the CA wants
to offer this service to its subscriber. That's quite literally the exact
place the cost of work should be borne. A CA can dedicate one or more
intermediates to EV and begin issuing _today_ (provided they've got their
ceremonies scripted and ready).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170410/6be2b3f8/attachment-0003.html>

More information about the Public mailing list