Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Marsh Ray <marsh@extendedsubset.com> Fri, 03 June 2011 03:54 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0362DE07A3; Thu, 2 Jun 2011 20:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0GWUXR3ACr8; Thu, 2 Jun 2011 20:54:07 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9D2E0678; Thu, 2 Jun 2011 20:54:07 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1QSLST-000P6T-Fv; Fri, 03 Jun 2011 03:54:01 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id D66AE601A; Fri, 3 Jun 2011 03:53:58 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18is+iucigW3xeJKZDAYuxJ2Ihv2PXGOsI=
Message-ID: <4DE85AD7.8010407@extendedsubset.com>
Date: Thu, 02 Jun 2011 22:53:59 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1QSKXu-0000S2-2s@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QSKXu-0000S2-2s@login01.fos.auckland.ac.nz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: paul.hoffman@vpnc.org, tls@ietf.org, pkix@ietf.org
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2011 03:54:08 -0000

On 06/02/2011 09:55 PM, Peter Gutmann wrote:
> Yoav Nir<ynir@checkpoint.com>  writes:
>
>> In late 2008, when some researchers got RapidSSL to sign a certificate
>> request that collided with their rogue sub-CA certificate, several things
>> came to light:
>> - They were a ridiculously small company, with the only full-time employee.
>> An accountant
>
> I wasn't aware of this one, do you have any pointers to info on this?  I guess
> a Webtrust audit doesn't check whether you have more than a single employee :-).

I think he's referring to Stevens, Sotirov, et al. 2008
http://www.win.tue.nl/hashclash/rogue-ca/
which I'm sure you heard about.

I hadn't heard the part about the single employee though.

- Marsh