[Servercert-wg] [EXTERNAL]Re: [cabf_validation] Underscores, DNSNames, and SRVNames

Ryan Sleevi sleevi at google.com
Fri Oct 26 16:29:56 MST 2018

On Fri, Oct 26, 2018 at 7:04 PM Gordon Bock via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Hi All,
> Microsoft performed an assessment of the “_” in domain names and our data
> points to  > 600 organizations globally (including Fortune 500,
> governments, and universities) who currently use an “_” in the domain
> name.   This is a large customer impact without a clear security
> enhancement.   We DO NOT believe that the data we evaluated from CT is
> comprehensive as it did not include DNS services specifications (eg.
> “_SIP”, “_TCP”, etc.) specified in documentation used by Microsoft as well
> as other software companies who produce products that require specified DNS
> Services (example; Lync, Skype, etc.).  Since these services are not
> consumed by browsers but rather dedicated clients we believe that many of
> these certificates are not recorded in CT logs.

Hi Gordon,

I'm afraid there's been some misunderstanding. This information is recorded
in CT logs. Browsers don't log certificates themselves - a variety of
tools, ranging from Censys (doing Internet- and service-wide scans), CAs
that have logged their complete issuance activities, search engines, and
researchers have all logged.

For example, the DNS service description was considered in the analysis,
and there were entries that were captured.

> https://docs.microsoft.com/en-us/lyncserver/lync-server-2013-dns-summary-single-consolidated-edge-with-private-ip-addresses-using-nat
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Flyncserver%2Flync-server-2013-dns-summary-single-consolidated-edge-with-private-ip-addresses-using-nat&data=02%7C01%7Cgbock%40microsoft.com%7C11f8b6e1360546b9c07a08d63b95c987%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636761911856776014&sdata=KjDVnQCoLUhQmO1C%2Fz%2FHeJDv70routvi0bQMufUqk4Q%3D&reserved=0>
> An argument could be made that if implemented end customers could purchase
> wildcard certificates.  However, many consider wildcard certificates to be
> a security risk, which is why CAA records allow for their exclusion.  For
> this reason Microsoft believes that wildcard certificates should not be a
> solution that is encouraged.   Additionally, the use of “_” is not
> prevented/discouraged by DNS providers nor web browsers.

This is not correct. As noted, this issue arose through bugs in Microsoft's
DNS implementation, which propagated through the ecosystem. Multiple
browsers have been working to resolve this issue. The use of underscores
has created security issues in other spaces - such as the processing of
IDNA encoding, as previously discussed. The failure to properly handle this
has created security bugs requiring redefining the IDNA processing model.

Finally, CAA records allow for the independent restriction of wildcards,
which is true, but that should not be seen as a core motivation for CAA to
permit independent exclusion. As the discussion in the recent Shanghai F2F
captured, this functionality can also be accomplished by working with the
CAA enumerated in the CA record.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181026/c54ff2e8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1966 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181026/c54ff2e8/attachment.jpg>

More information about the Servercert-wg mailing list