Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Yoav Nir <ynir@checkpoint.com> Wed, 08 June 2011 08:38 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B012111E809C; Wed, 8 Jun 2011 01:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.898
X-Spam-Level:
X-Spam-Status: No, score=-9.898 tagged_above=-999 required=5 tests=[AWL=0.701, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OS2GKX47gXtx; Wed, 8 Jun 2011 01:38:10 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED1411E8127; Wed, 8 Jun 2011 01:38:08 -0700 (PDT)
X-CheckPoint: {4DEF42F3-3-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p588bkxo027984; Wed, 8 Jun 2011 11:37:51 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 8 Jun 2011 11:37:45 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Wed, 8 Jun 2011 11:37:44 +0300
Thread-Topic: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
Thread-Index: Acwlt1asQvXn+f4lQqiE84ZHpQRMsQ==
Message-ID: <6B039F9F-B66E-41A3-894E-8F1996A87209@checkpoint.com>
References: <E1QUDSr-00081X-EE@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QUDSr-00081X-EE@login01.fos.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>, "paul.hoffman@vpnc.org" <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 08:38:10 -0000

On Jun 8, 2011, at 10:46 AM, Peter Gutmann wrote:

> Yoav Nir <ynir@checkpoint.com> writes:
> 
>> It would have prevented what has become known as "Comodo-gate". The attacker
>> subverted an RA. If the CA was doing the CAA checking, the attacker would be
>> foiled.
> 
> Uh, re-read my original text:
> 
>> That was my problem with it, any CA (and/or RA) that's already diligent about
>> cert issuance doesn't need CAA, and any one that isn't won't use it anyway, so
>> it doesn't address any existing problem.
> 
> What makes you class Comodo as a diligent CA?

What did Comodo fail to do?

The RA is handing contact with the customer, so it's their job to make sure that the customer is in fact the owner of the domain name in the certificate request.

Without CAA, there's nothing left for Comodo to check.

Yoav