Re: [Acme] kinds of proof

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 02 December 2014 02:54 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F9BC1A007C for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 18:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlDXRwAj9Mo0 for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 18:54:39 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFCAE1A000E for <acme@ietf.org>; Mon, 1 Dec 2014 18:54:39 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id DE0C8282FBC; Tue, 2 Dec 2014 02:54:38 +0000 (UTC)
Date: Tue, 2 Dec 2014 02:54:38 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: "acme@ietf.org" <acme@ietf.org>
Message-ID: <20141202025438.GH285@mournblade.imrryr.org>
References: <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <m2tx1ehq63.wl%randy@psg.com> <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com> <DM2PR0301MB0655E1CABDDFF7E3198CA2BFA87A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DM2PR0301MB0655E1CABDDFF7E3198CA2BFA87A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/EnnOD9SqPOFOf8Wf8UN3c2543_8
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: acme@ietf.org
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 02:54:41 -0000

On Tue, Dec 02, 2014 at 01:18:20AM +0000, Christian Huitema wrote:

> > Yes, several CAs allow DNS based validation of control.

I thought this too obvious to mention, I was talking *additional*
verification methods other than DNS.

> To belabor the obvious: if someone somehow controls the DNS entry
> for the domain, they can put up a MITM attack and "insert" whatever
> content is suitable for validation.

That's not an attack.  If you control the DNS, you control the
domain, which is what DV is supposed to verify.

I'd like to see is that resolvers used by CAs should support DNSSEC,
and for signed domains apply the appropriate checks.  Which then
leaves room for MiTM attacks via the various DV email addresses,
and port 80 checks, which perhaps should be re-considered when the
candidate DV domain is signed.

-- 
	Viktor.