[cabfpub] Continuing the discussion on CAA

Kirk Hall Kirk.Hall at entrust.com
Tue Oct 18 01:07:00 UTC 2016

Gerv, one other point to consider is that many CAs already have hard stops that can't be easily overridden for the highest value names you listed ("Google or Yahoo or Microsoft" - or Mozilla), so a hard stop with CAA would never even be reached via automated requests for those domains.  So many CA systems would not benefit all that much with CAA for those types of high value domains - they are already thrown into extra manual scrutiny.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Monday, October 17, 2016 5:21 AM
To: Eric Mill <eric.mill at gsa.gov>
Cc: public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

On 15/10/16 22:49, Eric Mill wrote:
> a clear threat model. It seems to me that CAA is valuable if it 
> provides meaningful technical controls that restrict issuance from the 
> vast majority of CAs with whom an organization will have no business 
> relationship.

If for "vast majority", you read "all", then I agree. But my point is, "what is a technical control"? Something a human can override by checking a checkbox is not a technical control, it's a policy control (CA policy, not domain owner policy).

We have had various instances in the past (Comodogate, DigiNotar) where hackers have gained control of the ability to issue certificates with varying parameters, but have not gained the ability to override the logic built into the CA's issuance code. And it is in precisely situations such as this that the Web PKI is at greatest risk, because the attacker can (and did) issue certificates at will for major sites. I know of no other way to implement a technical control preventing this (assuming the CA doesn't simply want to hard-code a list of important domains they will never issue for, which might be the right thing for e.g. government CAs or academic CAs) except for a non-overrideable CAA check.

If I were a CA, not only would I have such a check, but I'd tie it to a DEFCON 1 alert alarm if triggered. Because the first thing any cocky attacker is going to try once they've broken in is issuing a cert for Google or Yahoo or Microsoft.

Having said that, Bruce makes some reasonable points about enterprise customers issuing from e.g. name-constrained sub-CAs. I need to study his message more carefully. So we should talk more this week about where we can draw some clear lines that provide this protection while exempting situations where the damage of misissuance is limited.

Public mailing list
Public at cabforum.org

More information about the Public mailing list