Hi Nick, On 13/09/17 20:39, Nick Lamb wrote: > Gerv, rather than start by digging into the specific technical details, let > me ask a high level question. > > Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA > record saying to only permit the non-existent Gotham Certificates > gotham.example to issue. > > You say you don't want CAs to need to implement DNSSEC. But you also don't > want them issuing for my domain. How did you imagine this circle would be > squared?
There seems to have been some progress made on the CAB Forum list in terms of defining exactly what it means for a domain to have or not have DNSSEC, and how a CA can determine that. It might also be worth thinking about the value that DNSSEC adds, over and above a non-secure CAA check, in various attack scenarios. At the moment, I'm thinking that DNSSEC doesn't necessarily add much. Here are 3 quick scenarios, for a domain which is CAA locked so only CA Bar can issue: * Misguided employee tries to get CA Foo to issue for your domain - in which case, non-DNSSEC-signed checking will do. * Attacker has some control of CA Foo but can't override CAA check - in which case, non-DNSSEC-signed checking will do. * Attacker has control of CA Foo but can override CAA check - in which case, it doesn't matter what your DNS says. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
