IETF Logo Mail Archive

Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS

Bas Westerbaan <bas@cloudflare.com> Tue, 29 November 2022 15:05 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB20C1522C6 for <tls@ietfa.amsl.com>; Tue, 29 Nov 2022 07:05:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjRKS2nENBL4 for <tls@ietfa.amsl.com>; Tue, 29 Nov 2022 07:05:11 -0800 (PST)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D32DC14F73F for <tls@ietf.org>; Tue, 29 Nov 2022 07:05:10 -0800 (PST)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-3b48b139b46so141208347b3.12 for <tls@ietf.org>; Tue, 29 Nov 2022 07:05:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=sO928GTWvFziFyqUg8z95vjgqxnrH3tWaQZfx8qDLHs=; b=nHoT/QjqnQgdag+RRekkfdUy+VzoZbIlRjJtJOb3WJofWwhZHbfbGO1doPOjWNkGox gd25h2nuKTSEZAL6gNxRcq2pN2X42NsjMGzWyTRf7Nn/GmLgn0nmWKH99qQW7vLUXhjB Ai4MEv1WnxlMtXb/xL4pBXapHcg3kz2OENaME=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sO928GTWvFziFyqUg8z95vjgqxnrH3tWaQZfx8qDLHs=; b=rVVnc1zznNjdu3LzxssbMFQnRC1aHCB5TGfAu8LMYLi34PXCQgF+xGjn0M+u72yg8v i7iZ4xKP5scjJQvZCSLTjBgOZznCQwurI9D9p8oXys2tES7p/WpmM2b69LQUt8aTSuId nAATwzeUkcwDnlF3J3kccvWLb46BS9Ex+tDUEaYKHgIhulRA0ILBef/Bp1a2ZDVLiRT3 fY4QLcG2XXyW+OldoEBKSfqMBUH5xIPBsT5QM0/suCO84/9NiSbMVBKdmNVRf9KVeMUH YcoXoaXceHSzgJPKXaXFYU6Cyz41/ghoxWTt4kD87r8L8nVBtjPxTUXFY5VmhtiGA6/+ AHiw==
X-Gm-Message-State: ANoB5pl9U2DEwwPghLCcjSx2DC2Qd6auH2tL01e8shT02zfjhZC1dXcQ nv6eCd5YhX3F6QMc8ZU3qHPkv9/9iWDfM/kvCLQ5prAWOpHGkQ==
X-Google-Smtp-Source: AA0mqf7j2gZXtBKnmYxXM1UOsinebFeLgRUhlePoOGcbMDknXdezrMKELOQB6ulcY33ReB7z/1chRschGDcGslOTMZc=
X-Received: by 2002:a81:6d42:0:b0:3c6:14e4:aa59 with SMTP id i63-20020a816d42000000b003c614e4aa59mr10912131ywc.491.1669734309574; Tue, 29 Nov 2022 07:05:09 -0800 (PST)
MIME-Version: 1.0
References: <9jom-o0k2EKlsgFmAQfJqg2oBOK_bEw9D1VvMz3nmF4L4K1vftMPU916SKERU48MSk10IakHBzdPD74CMFYha65rdhg-8PqDpPpArSfYuPI=@olliejc.uk> <CAMjbhoXbJamGzM3KK8QU2_Qnu3E9DUvX1A_OvqqUFmbTOtTQrQ@mail.gmail.com> <Y4VhIBeSZi2Lclj3@straasha.imrryr.org>
In-Reply-To: <Y4VhIBeSZi2Lclj3@straasha.imrryr.org>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 29 Nov 2022 16:04:58 +0100
Message-ID: <CAMjbhoXo0pwo=NBs9JNpGssm0LjWe3JQUk-wft8bkJ+dnsFkxg@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006459d505ee9d5038"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/93WeFOwo3QrvzlzT1UZOTKHmDM8>
Subject: Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 15:05:14 -0000

>
> On the other hand, the actual certificates are not what one
> would want to log anyway.  Instead one would only want to log DS RRsets
> or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various
> 2LD, 3LD, ...  suffixes operated by TLD registries).


This is the case if you run your own authoritative DNS server. Most do not.
So you'd want transparency on the TLSA records as well.

Similar spamming would be possible by
> obtaining certificates from many CAs and rolling them over as frequently
> as possible.
>

CAs have quite strict rate-limits in place for free certificate issuance,
so it's not a problem.

Best,

 Bas

v2.23.0 | Report a Bug | By Email