On Wed, Feb 27, 2019 at 8:04 PM Nick Lamb via dev-security-policy < [email protected]> wrote:
> On Tue, 26 Feb 2019 17:10:49 -0600 > Matthew Hardeman via dev-security-policy > <[email protected]> wrote: > > > Is it even proper to have a SAN dnsName in in-addr.arpa ever? > > It does feel as though ARPA should consider adding a CAA record to > in-addr.arpa and similar hierarchies that don't want certificates, > denying all CAs, as a defence in depth measure. Alternatively, and perhaps more comprehensively, it may be better to ensure that those Special Use Domains that are either delegated to or reserved by IANA or the IESG can only have certificates issued by those respective organizations. These are enumerated prosaically at https://www.iana.org/domains/reserved for those reserved by policy, and https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml is a registry of those reserved by relevant standards. This approach is already taken with regards to IP addresses, and more comprehensively avoids ambiguity. It has the benefit of defaulting secure - by not requiring a domain holder (including IANA) to somehow take special action to protect existing practice. Should concrete use cases present themselves - of which BGP is not one (see BGPsec for more details) - then those can be relaxed on a case by case basis. The .onion Domain is an example of a pre-existing relaxation. This would still permit .arpa certificates - specific language would be needed (and should be done) to either prohibit or apply the same consistency to as IP certificates - but would otherwise close a class of “obvious” errors. The suggestion was intentionally not a blanket ban, as IANA/ICANN does and has obtained legitimate certificates for the example domains in the past. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
