Hi Ryan! The "multiple perspective validations" is an interesting idea. Did you think about combining it with CAA checking? I could imagine having a new tag, e.g. "allowedMethods", in which the legitimate owner of a domain can specify the set of allowed methods to validate his domain. As an example the value "(3.2.2.4.1 AND 3.2.2.4.5) OR 3.2.2.4.9" in the new "allowedMethods" tag could mean, that a certificate may only be issued, if two validations acc. 3.2.2.4.1 and 3.2.2.4.1 were successful or if one validation acc. 3.2.2.4.9 was successful. Any other method of validation would be not allowed. I see here the benefit, that the owner of a domain can choose how to verify according his business needs and select the appropriate level of security for his domains.
With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -----Ursprüngliche Nachricht----- > Von: dev-security-policy > [mailto:dev-security-policy-bounces+rufus.buschart=siemens.com@lists.m > ozilla.org] Im Auftrag von Ryan Hurst via dev-security-policy > Gesendet: Mittwoch, 25. April 2018 10:57 > An: mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: Regional BGP hijack of Amazon DNS infrastructure > > On Tuesday, April 24, 2018 at 5:29:05 PM UTC+2, Matthew Hardeman wrote: > > This story is still breaking, but early indications are that: > > > > 1. An attacker at AS10297 (or a customer thereof) announced several > > more specific subsets of some Amazon DNS infrastructure prefixes: > > > > 205.251.192-.195.0/24 205.251.197.0/24 205.251.199.0/24 > > > > 2. It appears that AS10297 via peering arrangement with Google got > > Google's infrastructure to buy (accept) the hijacked advertisements. > > > > 3. It has been suggested that at least one of the any cast 8.8.8.8 > > resolvers performed resolutions of some zones via the hijacked targets. > > > > It seems prudent for CAs to look into this deeper and scrutinize any > > domain validations reliant in DNS from any of those ranges this morning. > > This is an example of why ALL CA's should either already be doing > multi-perspective domain control validation or be working towards that in the > very near future. > > These types of attacks are far from new, we had discussions about them > back in the early 2000s while at Microsoft and I know we were not the > only ones. One of the earlier papers I recall discussing this topic > was from the late 08 timeframe from CMU - > https://www.cs.cmu.edu/~dga/papers/perspectives-usenix2008/ > > The most recent work on this I am aware of is the Princeton paper from last > year: > http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf > > As the approved validation mechanisms are cleaned up and hopefully > reduced to a limited few with known security properties the natural next step > is to require those that utilize these methods to also use multiple > perspective validations to mitigate this class of risk. > > Ryan Hurst (personal) > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
