Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Martin Rex <mrex@sap.com> Thu, 09 June 2011 02:44 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896C221F84EE; Wed, 8 Jun 2011 19:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.235
X-Spam-Level:
X-Spam-Status: No, score=-9.235 tagged_above=-999 required=5 tests=[AWL=1.014, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KV8CRFiwzvA9; Wed, 8 Jun 2011 19:44:25 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id C5BB121F84ED; Wed, 8 Jun 2011 19:44:24 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p592i87e028403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 9 Jun 2011 04:44:08 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201106090244.p592i7XA029918@fs4113.wdf.sap.corp>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Thu, 9 Jun 2011 04:44:07 +0200 (MEST)
In-Reply-To: <E1QUCgh-0005Mx-J4@login01.fos.auckland.ac.nz> from "Peter Gutmann" at Jun 8, 11 06:56:23 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: pkix@ietf.org, paul.hoffman@vpnc.org, tls@ietf.org
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2011 02:44:25 -0000

Peter Gutmann wrote:
> 
> Yoav Nir <ynir@checkpoint.com> writes:
> > 
> > CAA works if all root CAs and affiliates follow it. That's hundreds or
> > thousands of entities. Any one of them that fails to comply might ignore
> > the CAA record.
> 
> That was my problem with it, any CA (and/or RA) that's already diligent
> about cert issuance doesn't need CAA, and any one that isn't won't use
> it anyway, so it doesn't address any existing problem.

You're looking at CAA from the wrong angle.

CAA is _not_ for the RP, i.e. not for _you_ (and me, and most others ...)
It is only another means for a CA to detect attempts to subvert one of
its RAs, so it's primary purpose is CYA for large commercial CAs.

So a Server admin that has a CAA published is not really using it to
_protect_ clients.  It may reduce the likelyhood to get certs
mis-issued, though, and is therefore well in the ballpark of
what businesses are doing to protect against fraud (not protecting
against it, just make it remain under a certain fraud loss threshold).


-Martin