IETF Logo Mail Archive

Re: [saag] subordinate vs intermediate certification authority

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 06 February 2021 21:34 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC31F3A2C5B for <saag@ietfa.amsl.com>; Sat, 6 Feb 2021 13:34:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.098
X-Spam-Level:
X-Spam-Status: No, score=0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1ahpW-KOtEL for <saag@ietfa.amsl.com>; Sat, 6 Feb 2021 13:34:05 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBAAC3A2C5A for <saag@ietf.org>; Sat, 6 Feb 2021 13:34:04 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 324551A1FA4; Sat, 6 Feb 2021 16:34:02 -0500 (EST)
Date: Sat, 6 Feb 2021 16:34:02 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <YB8LSrp/nokGNDui@straasha.imrryr.org>
Reply-To: saag@ietf.org
References: <30833.1612411843@localhost> <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org> <6108.1612645177@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6108.1612645177@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/vw4eEwwVAUh4n-S4WS2vx5x3GDY>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2021 21:34:07 -0000

On Sat, Feb 06, 2021 at 03:59:37PM -0500, Michael Richardson wrote:

> The issue comes up with pinning as it relates to ownership.  It's not
> a problem if every organization that can own Things has it's own
> private CA.  Pinning that CA works great.  Pinning some other EE is
> very much more specific, but also, may be too ephemeral.
> 
> Where it gets complex is when organizations have outsourced the CA
> function elsewhere.  It's meaningless to pin LetsEncrypt or GoDaddy.
> It might be meaningful to pin a Subordinate CA signed by some public
> CA though.

Are you trying to get at generalising the issue described at:

    http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

(where I track sloppy SMTP server operators who've pinned the now retired
Let's Encrypt "X3" CA, and have failed to keep up with the times)?

The number of MX hosts with such TLSA RRs is falling as they eventually
notice (or the issue is brought to their attention).  And, fortunately,
with DANE TLSA RRs published in their DNS zone, they can update the pin
on their end, without having to ask the world to update some local copy.

There is a tiny population of SMTP operators who've attempted to publish
TLSA RRs that pin the EE public key of a provider's SMTP server they
don't control.  That's a mistake, and they eventually figure this out
and drop unmaintainable TLSA RRs for servers they don't control.

-- 
    Viktor.

v2.8.7 | Report a Bug | By Email