[cabf_validation] Minutes from the Validation Subcommittee meeting of 13 September 2018.
wthayer at mozilla.com
Fri Sep 14 13:05:34 MST 2018
Attendees: Tim Hollebeek, Ben Wilson, Shelley Brewer, Bruce Morton, Corey
Bonnell, Frank Corday, Joanna Fox, Rich Smith, Robin Alden, Li-Chun Chen,
Frank Corday, Ryan Sleevi, Henry Birge-Lee (guest), Mike Ounsworth
(guest?), Serge Mister (guest?)
1. BGP Hijacking presentation - Henry Birge-Lee from Princeton
Henry presented slides similar to these:
The paper presented at USENIX is available at
2. After Henry presented the slides, he took questions:
* Ryan asked if the best vantage point locations on the internet are
* Henry said that popular destinations don’t change their locations all
that often. For example, Amazon hosts a large percentage of domains, so
putting vantage points close to Amazon is good.
* Ryan agreed that there is greater stability for popular destinations, but
we want security for all sites. We need agreed upon locations or criteria
for vantage point selection that protects all sites.
* Henry said that it is difficult to hijack the entire internet. His team
is working on a document that contains a set of recommendations for vantage
point locations. They’re finding that the benefit from multiple vantage
points is good even if they aren’t all that diverse. What really matters is
good diversity across internet topology.
* Tim said we also need to determine policy when not all vantage points
agree. What is the resilience of multiple vantage points to failures?
* Henry said they are looking into that question and they are determining
quorum policy for Let’s Encrypt. Quorum of N-1 (where N=number of vantage
points ~5) provides good resilience, but less than that give an attacker a
* Ryan said that false negatives and denial of service are also an issue,
so for example an N-1 quorum policy only requires an attacker to disrupt
two vantage points to deny issuance.
* Henry noted that attacks do get detected and network routing fixed fairly
quickly relative to certificate lifetimes.
* Ryan said that there is still a lot of cost to false negatives (denial of
a legit certificate request) for the majority of certificates which are
* Tim said that it would be nice to be able to disable HTTP validation via
* Ryan said that is only valuable if you have DNSSEC configured, otherwise
the CAA record can be hijacked.
3. Bylaws fix ballot FORUM-4
Tim is working to get the ballot in shape for a vote. The version of the
bylaws we voted on in ballot 206 was out of date, and it was missing the
‘discussion period’ changes passed in ballot 216. Tim said that he found
some errors in the redline that Ben produced and asked others to look
closely at the redline to identify any additional bugs.
4. CAA Contact ballot
Tim let the draft that was in discussion expire. He’ll recirculate the
5. Any other method ballot
Tim said that he also plans to recirculate this ballot soon.
6. Method 3 ballot
Tim said and Doug agreed that this is blocked on the CAA contact ballot.
Doug may resend it to confirm that no one has any other issues with the
7. Validation method in certificates
Wayne said this is ready for a discussion period but he’s waiting for the
bylaws to be fixed.
8. CAA validation method extensions ballot
Tim said that in light of the presentation on BGP hijacking, he would like
to get this going once other ballots have been progressed.
9. Shanghai F2F meeting
* Tim - what do we want to discuss in Shanghai?
* Bruce - BGP hijacking
* Tim - we should discuss this and other recently disclosed attacks on DNS
at the F2F
* Tim also asked for feedback on this morning’s invited speakers and if we
have more, what are some suggested topics?
* Tim said that multi-perspective DNS validation is a card on our Trello
board, so Shanghai is a good opportunity to discuss
Tim adjourned the meeting.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation