Re: CAA Certificate Problem Report

On Tuesday, September 19, 2017 at 10:37:20 AM UTC-5, Gervase Markham wrote: > On 19/09/17 14:58, Nick Lamb wrote: > > An attacker only has to _prefer_ one particular CA for any reason, > > > Yep, fair. > > Gerv Quite true. In the example scenario that I have just posted, such preference might

Re: CAA Certificate Problem Report

On Tuesday, September 19, 2017 at 8:02:36 AM UTC-5, Gervase Markham wrote: > I'd be interested in your engagement on my brief threat modelling; it > seems to me that DNSSEC only adds value in the scenario where an > attacker has some control of CA Foo's issuance process, but not enough > to overri

Re: CAA Certificate Problem Report

On 19/09/17 14:58, Nick Lamb wrote: > An attacker only has to _prefer_ one particular CA for any reason, Yep, fair. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: CAA Certificate Problem Report

On Tuesday, 19 September 2017 14:02:36 UTC+1, Gervase Markham wrote: > I'd be interested in your engagement on my brief threat modelling; it > seems to me that DNSSEC only adds value in the scenario where an > attacker has some control of CA Foo's issuance process, but not enough > to override the

Re: CAA Certificate Problem Report

On 19/09/2017 14:59, Gervase Markham via dev-security-policy wrote: > It might also be worth thinking about the value that DNSSEC adds, over > and above a non-secure CAA check, in various attack scenarios. At the > moment, I'm thinking that DNSSEC doesn't necessarily add much. Here are > 3 quick sc

Re: CAA Certificate Problem Report

On 13/09/17 23:57, Matthew Hardeman wrote: > This is especially the case for CAA records, which have an explicit security > function: controlling, at a minimum, who may issue publicly trusted > certificates for a given FQDN. I'd be interested in your engagement on my brief threat modelling; it s

Re: CAA Certificate Problem Report

Hi Nick, On 13/09/17 20:39, Nick Lamb wrote: > Gerv, rather than start by digging into the specific technical details, let > me ask a high level question. > > Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA > record saying to only permit the non-existent Gotham Certifica

Re: CAA Certificate Problem Report

On 14/09/2017 01:13, Matthew Hardeman wrote: On Tuesday, September 12, 2017 at 5:36:56 AM UTC-5, Gervase Markham wrote: As the drafter of the section :-), my intent was to make it so that if a site owner were concerned about the possibility that their CAA record or DNS could be spoofed, they c

Re: CAA Certificate Problem Report

On Tuesday, September 12, 2017 at 5:36:56 AM UTC-5, Gervase Markham wrote: > > As the drafter of the section :-), my intent was to make it so that if a > site owner were concerned about the possibility that their CAA record or > DNS could be spoofed, they could use DNSSEC to solve the problem. I

Re: CAA Certificate Problem Report

I concur in full with Nick Lamb's comments and positions on this matter. There is no reasonable short cut to actually doing the DNSSEC thing if we want to usefully intertwine those technologies at all. There IS significant benefit in enforcing complete DNSSEC validation for (all) the domain val

Re: CAA Certificate Problem Report

Gerv, rather than start by digging into the specific technical details, let me ask a high level question. Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA record saying to only permit the non-existent Gotham Certificates gotham.example to issue. You say you don't want CA

Re: CAA Certificate Problem Report

On 11/09/17 22:28, Jeremy Rowley wrote: > I would support that. I can't recall why it's in there. As the drafter of the section :-), my intent was to make it so that if a site owner were concerned about the possibility that their CAA record or DNS could be spoofed, they could use DNSSEC to solve

Re: CAA Certificate Problem Report

ozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy wrote: For a little more context, the idea is that we can speed up the CAA check for all customers while working with those who have DNSSEC to

RE: CAA Certificate Problem Report

I'm struggling to get my head around what you're asking for. I think you're seriously asking if there's a way to skip all the actual security of DNSSEC and get a secure answer anyway? No. The answer is "No". If you're comfortable with answers that might be lies, you can skip DNSSEC entirely. Ot

Re: CAA Certificate Problem Report

> On Sep 11, 2017, at 18:30, Ryan Sleevi via dev-security-policy > wrote: > > On Mon, Sep 11, 2017 at 3:09 PM Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >>> On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy < >> dev-security-

Re: CAA Certificate Problem Report

On Mon, Sep 11, 2017 at 3:09 PM Jonathan Rudenberg via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > That seems like very poor logic and justificatio

Re: CAA Certificate Problem Report

> On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy > wrote: > > That seems like very poor logic and justification. > > Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for > literally years now, perhaps it's worth asking why CAs are only now > discovering issu

RE: CAA Certificate Problem Report

-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report That seems like very poor logic and justification. Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for literally years now, perhaps it's worth asking why CAs are only now discovering issues. Th

Re: CAA Certificate Problem Report

3:19 PM > To: Jeremy Rowley > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: CAA Certificate Problem Report > > > > On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > For a

RE: CAA Certificate Problem Report

I would support that. I can't recall why it's in there. -Original Message- From: Jonathan Rudenberg [mailto:jonat...@titanous.com] Sent: Monday, September 11, 2017 3:19 PM To: Jeremy Rowley Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Prob

Re: CAA Certificate Problem Report

> On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those who have DNSSEC to make sure they > aren't killing performance. If there's a way to group the

RE: CAA Certificate Problem Report

olicy Sent: Monday, September 11, 2017 2:56 PM To: Nick Lamb ; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: CAA Certificate Problem Report I think that's the opposite of what I'm saying. CAs don't need to do DNSSEC provided 1) they don't want to issue certs whe

RE: CAA Certificate Problem Report

lists.mozilla.org Subject: Re: CAA Certificate Problem Report On Monday, 11 September 2017 18:33:24 UTC+1, Jeremy Rowley wrote: > That's the entire corpus of information related to DNSSEC in the BRs. Under 4 > and 5, we successfully returned a DNS record. The lookup didn’t fail so the

Re: CAA Certificate Problem Report

On Monday, 11 September 2017 18:33:24 UTC+1, Jeremy Rowley wrote: > That's the entire corpus of information related to DNSSEC in the BRs. Under 4 > and 5, we successfully returned a DNS record. The lookup didn’t fail so the > sentence "the domain's zone does not have a DNSSEC validation chain to

RE: CAA Certificate Problem Report

on on this. Jeremy -Original Message- From: Andrew Ayer [mailto:a...@andrewayer.name] Sent: Saturday, September 9, 2017 1:01 PM To: Jonathan Rudenberg Cc: Jonathan Rudenberg via dev-security-policy ; Peter Bowen ; mozilla-dev-security-pol...@lists.mozilla.org; Jeremy Rowley Subject: Re: CAA Certi

RE: CAA Certificate Problem Report

t: Re: CAA Certificate Problem Report On 09/09/17 10:21, Jeremy Rowley wrote: > Certificate 1 contains a single DNS identifier for > big.basic.caatestsuite.com <http://big.basic.caatestsuite.com> . This > DNS name has a CAA resource record set that is too large to fit within > a sing

Re: CAA Certificate Problem Report

On 09/09/17 10:21, Jeremy Rowley wrote: > Certificate 1 contains a single DNS identifier for > big.basic.caatestsuite.com . This DNS > name has a CAA resource record set that is too large to fit within a single > DNS UDP packet, but small enough to fit within a

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 18:10:02 -0700 Peter Bowen wrote: > On Sat, Sep 9, 2017 at 1:59 PM, Andrew Ayer > wrote: > > On Sat, 9 Sep 2017 13:53:52 -0700 > > Peter Bowen via dev-security-policy > > wrote: > > > >> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer > >> wrote: > >> > > >> > drill is buggy and

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 1:59 PM, Andrew Ayer wrote: > On Sat, 9 Sep 2017 13:53:52 -0700 > Peter Bowen via dev-security-policy > wrote: > >> On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer >> wrote: >> > >> > drill is buggy and insecure. Obviously, such implementations can >> > be found. Note that d

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 13:53:52 -0700 Peter Bowen via dev-security-policy wrote: > On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer > wrote: > > > > drill is buggy and insecure. Obviously, such implementations can > > be found. Note that drill is just a "debugging/query" tool, not a > > resolver you wo

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 1:50 PM, Andrew Ayer wrote: > > drill is buggy and insecure. Obviously, such implementations can > be found. Note that drill is just a "debugging/query" tool, not a > resolver you would actually use in production. You'll find that the > production-grade resolver from that

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 13:14:29 -0700 Peter Bowen via dev-security-policy wrote: > On Sat, Sep 9, 2017 at 11:50 AM, Andrew Ayer > wrote: > > On Sat, 9 Sep 2017 08:49:01 -0700 > > Peter Bowen via dev-security-policy > > wrote: > > > >> On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg > >> wrote:

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 11:50 AM, Andrew Ayer wrote: > On Sat, 9 Sep 2017 08:49:01 -0700 > Peter Bowen via dev-security-policy > wrote: > >> On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg >> wrote: >> > >> >> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy >> >> wrote: >> >> >>

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 06:57:39 -0400 Jonathan Rudenberg via dev-security-policy wrote: > > > On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > > wrote: > > > > In all three of these cases, the "domain's zone does not have a > > DNSSEC validation chain to the ICANN root" -- I request

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 09:21:30 + Jeremy Rowley via dev-security-policy wrote: > Certificate 1 contains a single DNS identifier for > big.basic.caatestsuite.com . > This DNS name has a CAA resource record set that is too large to fit > within a single DNS UDP

Re: CAA Certificate Problem Report

On Sat, 9 Sep 2017 08:49:01 -0700 Peter Bowen via dev-security-policy wrote: > On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg > wrote: > > > >> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > >> wrote: > >> > >> In all three of these cases, the "domain's zone does not have a

Re: CAA Certificate Problem Report

On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg wrote: > >> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy >> wrote: >> >> In all three of these cases, the "domain's zone does not have a DNSSEC >> validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS, >> and CAA re

Re: CAA Certificate Problem Report

> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy > wrote: > > In all three of these cases, the "domain's zone does not have a DNSSEC > validation chain to the ICANN root" -- I requested SOA, DNSKEY, NS, > and CAA records types for each zone and in no case did I get a > response t

Re: CAA Certificate Problem Report

For reference, here is the relevant bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1398428 > On Sep 9, 2017, at 05:21, Jeremy Rowley via dev-security-policy > wrote: > > big.basic.caatestsuite.com > > [JR] We only check CAA records with UDP to keep performance good on certs > with hundreds

Re: CAA Certificate Problem Report

> Certificate 3 contains a single DNS identifier for > refused.caatestsuite-dnssec.com > Attempts to query the CAA record for this DNS name result in a REFUSED DNS > response. Since there is a DNSSEC validation chain from this zone to the > ICANN root, CAs are not permitted to treat the lookup fai