Re: CAA Certificate Problem Report

On Tuesday, September 19, 2017 at 10:37:20 AM UTC-5, Gervase Markham wrote: > On 19/09/17 14:58, Nick Lamb wrote: > > An attacker only has to _prefer_ one particular CA for any reason, > > > Yep, fair. > > Gerv Quite true. In the example scenario that I have just posted, such preference

Re: CAA Certificate Problem Report

On 13/09/17 23:57, Matthew Hardeman wrote: > This is especially the case for CAA records, which have an explicit security > function: controlling, at a minimum, who may issue publicly trusted > certificates for a given FQDN. I'd be interested in your engagement on my brief threat modelling; it

Re: CAA Certificate Problem Report

Hi Nick, On 13/09/17 20:39, Nick Lamb wrote: > Gerv, rather than start by digging into the specific technical details, let > me ask a high level question. > > Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA > record saying to only permit the non-existent Gotham

Re: CAA Certificate Problem Report

On 14/09/2017 01:13, Matthew Hardeman wrote: On Tuesday, September 12, 2017 at 5:36:56 AM UTC-5, Gervase Markham wrote: As the drafter of the section :-), my intent was to make it so that if a site owner were concerned about the possibility that their CAA record or DNS could be spoofed, they

Re: CAA Certificate Problem Report

I concur in full with Nick Lamb's comments and positions on this matter. There is no reasonable short cut to actually doing the DNSSEC thing if we want to usefully intertwine those technologies at all. There IS significant benefit in enforcing complete DNSSEC validation for (all) the domain

Re: CAA Certificate Problem Report

Gerv, rather than start by digging into the specific technical details, let me ask a high level question. Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA record saying to only permit the non-existent Gotham Certificates gotham.example to issue. You say you don't want

Re: CAA Certificate Problem Report

On 11/09/17 22:28, Jeremy Rowley wrote: > I would support that. I can't recall why it's in there. As the drafter of the section :-), my intent was to make it so that if a site owner were concerned about the possibility that their CAA record or DNS could be spoofed, they could use DNSSEC to solve

Re: CAA Certificate Problem Report

row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: For a little more context, the idea is that we can speed up t

RE: CAA Certificate Problem Report

I'm struggling to get my head around what you're asking for. I think you're seriously asking if there's a way to skip all the actual security of DNSSEC and get a secure answer anyway? No. The answer is "No". If you're comfortable with answers that might be lies, you can skip DNSSEC entirely.

Re: CAA Certificate Problem Report

> On Sep 11, 2017, at 18:30, Ryan Sleevi via dev-security-policy > wrote: > > On Mon, Sep 11, 2017 at 3:09 PM Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >>> On Sep 11, 2017, at 17:41, Ryan Sleevi

Re: CAA Certificate Problem Report

On Mon, Sep 11, 2017 at 3:09 PM Jonathan Rudenberg via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > That seems like very poor logic and

Re: CAA Certificate Problem Report

> On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy > wrote: > > That seems like very poor logic and justification. > > Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for > literally years now, perhaps it's worth asking

RE: CAA Certificate Problem Report

nathan Rudenberg <jonat...@titanous.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report That seems like very poor logic and justification. Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for literally years now, perhaps it's

Re: CAA Certificate Problem Report

eremy Rowley <jeremy.row...@digicert.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: CAA Certificate Problem Report > > > > On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >

RE: CAA Certificate Problem Report

e: CAA Certificate Problem Report > On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those w

Re: CAA Certificate Problem Report

> On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those who have DNSSEC to make sure they > aren't killing

RE: CAA Certificate Problem Report

: Monday, September 11, 2017 2:56 PM To: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: CAA Certificate Problem Report I think that's the opposite of what I'm saying. CAs don't need to do DNSSEC provided 1) they don't want to issue certs where

RE: CAA Certificate Problem Report

: Re: CAA Certificate Problem Report On Monday, 11 September 2017 18:33:24 UTC+1, Jeremy Rowley wrote: > That's the entire corpus of information related to DNSSEC in the BRs. Under 4 > and 5, we successfully returned a DNS record. The lookup didn’t fail so the > sentence "the doma

Re: CAA Certificate Problem Report

On Monday, 11 September 2017 18:33:24 UTC+1, Jeremy Rowley wrote: > That's the entire corpus of information related to DNSSEC in the BRs. Under 4 > and 5, we successfully returned a DNS record. The lookup didn’t fail so the > sentence "the domain's zone does not have a DNSSEC validation chain

RE: CAA Certificate Problem Report

..@lists.mozilla.org; Jeremy Rowley <jeremy.row...@digicert.com> Subject: Re: CAA Certificate Problem Report On Sat, 9 Sep 2017 06:57:39 -0400 Jonathan Rudenberg via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > On Sep 9, 2017, at 06:19, Peter Bowe

Re: CAA Certificate Problem Report

On 09/09/17 10:21, Jeremy Rowley wrote: > Certificate 1 contains a single DNS identifier for > big.basic.caatestsuite.com . This DNS > name has a CAA resource record set that is too large to fit within a single > DNS UDP packet, but small enough to fit within a

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 18:10:02 -0700 Peter Bowen wrote: > On Sat, Sep 9, 2017 at 1:59 PM, Andrew Ayer > wrote: > > On Sat, 9 Sep 2017 13:53:52 -0700 > > Peter Bowen via dev-security-policy > > wrote: > > > >> On Sat,

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 1:59 PM, Andrew Ayer wrote: > On Sat, 9 Sep 2017 13:53:52 -0700 > Peter Bowen via dev-security-policy > wrote: > >> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer >> wrote: >> > >> > drill is

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 13:53:52 -0700 Peter Bowen via dev-security-policy wrote: > On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer > wrote: > > > > drill is buggy and insecure. Obviously, such implementations can > > be found. Note that

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer wrote: > > drill is buggy and insecure. Obviously, such implementations can > be found. Note that drill is just a "debugging/query" tool, not a > resolver you would actually use in production. You'll find that the >

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 11:50 AM, Andrew Ayer wrote: > On Sat, 9 Sep 2017 08:49:01 -0700 > Peter Bowen via dev-security-policy > wrote: > >> On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg >> wrote: >> > >> >>

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 06:57:39 -0400 Jonathan Rudenberg via dev-security-policy wrote: > > > On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > > wrote: > > > > In all three of these cases, the "domain's

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg wrote: > >> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy >> wrote: >> >> In all three of these cases, the "domain's zone does not have a DNSSEC >> validation chain

Re: CAA Certificate Problem Report

> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > wrote: > > In all three of these cases, the "domain's zone does not have a DNSSEC > validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS, > and CAA records types for each zone

Re: CAA Certificate Problem Report

For reference, here is the relevant bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1398428 > On Sep 9, 2017, at 05:21, Jeremy Rowley via dev-security-policy > wrote: > > big.basic.caatestsuite.com > > [JR] We only check CAA records with UDP to keep

Re: CAA Certificate Problem Report

> Certificate 3 contains a single DNS identifier for > refused.caatestsuite-dnssec.com > Attempts to query the CAA record for this DNS name result in a REFUSED DNS > response. Since there is a DNSSEC validation chain from this zone to the > ICANN root, CAs are not permitted to treat the lookup

CAA Certificate Problem Report

Hi everyone, We received a certificate problem report at 11 pm on Sep 8, 2017 from Andrew Ayer alleging the mis-issuance of 6 certificates because of a failure to properly verify CAA records. I'm sharing the report here because there are questions about CAA record checking that we feel