On 2021-08-25, Chris Angelico <ros...@gmail.com> wrote: > On Thu, Aug 26, 2021 at 12:48 AM Jon Ribbens via Python-list ><python-list@python.org> wrote: >> Another attempt at combatting this problem is DNS CAA records, >> which are a way of politely asking all CAs in the world except the >> ones you choose "please don't issue a certificate for my domain". >> By definition someone who had hacked a CA would pay no attention >> to that request, of course. > > True, but that would still prevent legit CAs from unwittingly > contributing to an attack. But it still wouldn't help if someone can > do any sort of large-scale DNS attack, which is kinda essential for > most of this to matter anyway (it doesn't matter if an attacker has a > fake cert if all traffic goes to the legit site anyway).
That depends whether it's a large-scale attack or targeted at some particular person or organisation, I suppose. > Earlier I posited a hypothetical approach wherein the server would > sign a new cert using the old cert, and would then be able to present > that upon request. Are there any massive glaring problems with that? That's a very similar idea to HTTP Public Key Pinning, and apparently there were enough problems with that that they discontinued it. > But, maybe we're just coming back to "it doesn't matter and nobody > really cares". People don't care until something goes wrong, and then suddenly they care a great deal... -- https://mail.python.org/mailman/listinfo/python-list
