IETF Logo Mail Archive

Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 08 June 2011 07:46 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995B021F8503; Wed, 8 Jun 2011 00:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-RH7m4BWMvn; Wed, 8 Jun 2011 00:46:20 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id B9E9821F8502; Wed, 8 Jun 2011 00:46:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1307519180; x=1339055180; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20pgut001@cs.auckland.ac.nz,=20ynir@checkpoint.com |Subject:=20Re:=20[TLS]=20[pkix]=20Proposing=20CAA=20as =20PKIX=20Working=20Group=20Item|Cc:=20mike-list@pobox.co m,=20paul.hoffman@vpnc.org,=20pkix@ietf.org,=0D=0A=20=20 =20=20tls@ietf.org|In-Reply-To:=20<6201F47E-26F1-43F0-839 B-78D1360D2EC4@checkpoint.com>|Message-Id:=20<E1QUDSr-000 81X-EE@login01.fos.auckland.ac.nz>|Date:=20Wed,=2008=20Ju n=202011=2019:46:09=20+1200; bh=3TezGZHmIxV4TACv5M8PRhmDR8zo2Kp+hvi+/V+1rnY=; b=AkU5y/Xkrdiw61INRqhM2ohnIk7Y7e/PVJlSZxtnq15IOZvP2YjdS9k8 +7nDi/Gs9iC6LZy9oZOOu8T3XQ8v2X/PQv/KpAshMwOjvRdluf24N+OSj e4VgOzidfyM8eqst8lmh20W7NiUoZsvgWRJnSzZ+k/FmKfVwnHTcz7c9N w=;
X-IronPort-AV: E=Sophos;i="4.65,337,1304251200"; d="scan'208";a="66158433"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Jun 2011 19:46:10 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QUDSr-0000yL-I7; Wed, 08 Jun 2011 19:46:09 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QUDSr-00081X-EE; Wed, 08 Jun 2011 19:46:09 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: pgut001@cs.auckland.ac.nz, ynir@checkpoint.com
In-Reply-To: <6201F47E-26F1-43F0-839B-78D1360D2EC4@checkpoint.com>
Message-Id: <E1QUDSr-00081X-EE@login01.fos.auckland.ac.nz>
Date: Wed, 08 Jun 2011 19:46:09 +1200
Cc: pkix@ietf.org, paul.hoffman@vpnc.org, tls@ietf.org
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 07:46:20 -0000

Yoav Nir <ynir@checkpoint.com> writes:

>It would have prevented what has become known as "Comodo-gate". The attacker
>subverted an RA. If the CA was doing the CAA checking, the attacker would be
>foiled.

Uh, re-read my original text:

> That was my problem with it, any CA (and/or RA) that's already diligent about
> cert issuance doesn't need CAA, and any one that isn't won't use it anyway, so
> it doesn't address any existing problem.

What makes you class Comodo as a diligent CA?

(Not wanting to re-open the Comodo bashing again, but I'd use "Comodogate" as
a prime example of why CAA won't do much good).

Peter.

v2.23.0 | Report a Bug | By Email