Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Yoav Nir <ynir@checkpoint.com> Wed, 08 June 2011 07:32 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E95A21F8476; Wed, 8 Jun 2011 00:32:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.548
X-Spam-Level:
X-Spam-Status: No, score=-9.548 tagged_above=-999 required=5 tests=[AWL=1.051, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8+KPvno+EZ6e; Wed, 8 Jun 2011 00:32:57 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE7621F8475; Wed, 8 Jun 2011 00:32:55 -0700 (PDT)
X-CheckPoint: {4DEF33AA-2-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p587Woog018324; Wed, 8 Jun 2011 10:32:50 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 8 Jun 2011 10:32:49 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Wed, 8 Jun 2011 10:32:48 +0300
Thread-Topic: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
Thread-Index: AcwlrkRXTAB8wUHGRnqB4ujQJkVunw==
Message-ID: <6201F47E-26F1-43F0-839B-78D1360D2EC4@checkpoint.com>
References: <E1QUCgh-0005Mx-J4@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QUCgh-0005Mx-J4@login01.fos.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>, "paul.hoffman@vpnc.org" <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 07:32:57 -0000

On Jun 8, 2011, at 9:56 AM, Peter Gutmann wrote:

> Yoav Nir <ynir@checkpoint.com> writes:
> 
>> CAA works if all root CAs and affiliates follow it. That's hundreds or
>> thousands of entities. Any one of them that fails to comply might ignore the
>> CAA record.
> 
> That was my problem with it, any CA (and/or RA) that's already diligent about 
> cert issuance doesn't need CAA, and any one that isn't won't use it anyway, so 
> it doesn't address any existing problem.
> 
> Peter.

It would have prevented what has become known as "Comodo-gate". The attacker subverted an RA. If the CA was doing the CAA checking, the attacker would be foiled. If checking the CAA is delegated to the RA, it would not help, but the draft specifically talks about certification authorities.