CAA Records for IP Certificates

[Antonios Chariton]

Hello everyone,

I have submitted the following Internet Draft to the IETF LAMPS Working Group for consideration: https://datatracker.ietf.org/doc/draft-chariton-ipcaa/ 

You can read the mailing list thread here: https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/

This proposes the creation of a new CAA record property, on top of the existing ones, e.g. “issuewild”, that will allow an entity controlling an IP address to benefit from the power of CAA records.

The idea is to add CAA records to the “reverse DNS” zones, ip6.arpa and in-addr.arpa, that support the hierarchical nature of DNS: a CAA record in 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence over one in 0.c.d.3.d.0.a.2.ip6.arpa .

As this is relevant to the WebPKI, I am sending this e-mail here to solicit your feedback on the idea, any potential improvements, etc.

Thanks,

Antonis

GitHub Repo: https://github.com/daknob/draft-chariton-ipcaa

HTML: https://daknob.github.io/draft-chariton-ipcaa/

TXT: https://daknob.github.io/draft-chariton-ipcaa/draft.txt 

[Kurt Seifried]

I read it briefly but it seems to me like there's a significant failure/abuse scenario:

ISP controls an IP block that it portions out to customers. ISP has a web server and puts in the IP/IPv6 CAA records.

Customers that use delegated IP space from the ISP can now only use those CAAs as well if they want to use this standard, correct?

If this is correct, and I was a CA and read this I'd be building a PowerPoint deck for my sales team on how ISP's can partner with us to get a 20-50% commission on sales of certificates by doing this one simple thing...

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/788376DF-8D67-48E0-AEE1-52085183217D%40gmail.com.

--

Kurt Seifried (He/Him)
ku...@seifried.org

[Antonios Chariton]

> On 2 Dec 2022, at 17:43, Kurt Seifried <ku...@seifried.org> wrote:
>
> I read it briefly but it seems to me like there's a significant failure/abuse scenario:
>
> ISP controls an IP block that it portions out to customers. ISP has a web server and puts in the IP/IPv6 CAA records.
>
> Customers that use delegated IP space from the ISP can now only use those CAAs as well if they want to use this standard, correct?
>

> If this is correct, and I was a CA and read this I'd be building a PowerPoint deck for my sales team on how ISP's can partner with us to get a 20-50% commission on sales of certificates by doing this one simple thing…


Hello Kurt,

Thanks for the feedback!

If an ISP would like to add a CAA record for just their web server, they would add it only for that IP Address, and other addresses would not be affected.

If they add a CAA record for their entire IP range, e.g. assuming they have 10.10.0.0/16 they add it on 10.10.in-addr.arpa, then clients can override this CAA record if they have a delegation for e.g. 10.10.10.in-addr.arpa or their ISP allows them to set CAA records the same way they set PTR records.

The same risk applies to regular CAA records and TLDs (CAA in com) or shared domains (CAA in no-ip.org). If the end user has a delegation, or the ability to update DNS records, they can override the ones set higher in the hierarchy. If not, then CAA will limit issuance and this becomes a human problem, not a computer problem.

Maybe it is due to ICANN’s rules, but I am not aware of this happening.

In both cases, the entity that controls the hierarchically higher resource (be it a domain or an IP Address), can always perform a Denial of Service against its own customers if it really wants to: just write a cron job that fetches all CT certificates of the past hour, finds all instances of its domain / IP Address range, and submits Certificate Problem Reports to the issuing CA. Probably after some time, no CA would like to deal with this and denylist this resource.

In my view, this takes an entity going against their customers for arguably no real / significant gain, and if we assume that this is the case, then worse things could happen.

Overall, this remains a risk, always, but I don’t personally view it as something significant enough to prevent progress and gain the benefits of CAA.

Perhaps I am underestimating this, so I’d be happy to hear more if you still believe that it is a big problem.

Thank you,
Antonis

[Kurt Seifried]

On Fri, Dec 2, 2022 at 9:56 AM Paul Wouters <pa...@nohats.ca> wrote:

On Fri, 2 Dec 2022, 'Kurt Seifried' via dev-secur...@mozilla.org wrote:

> I read it briefly but it seems to me like there's a significant failure/abuse scenario:
> ISP controls an IP block that it portions out to customers. ISP has a web server and puts in the IP/IPv6 CAA records.
>
> Customers that use delegated IP space from the ISP can now only use those CAAs as well if they want to use this standard, correct?
>
> If this is correct, and I was a CA and read this I'd be building a PowerPoint deck for my sales team on how ISP's can partner with
> us to get a 20-50% commission on sales of certificates by doing this one simple thing...

No,

As Antonios wrote:

        a CAA record in 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence over one in 0.c.d.3.d.0.a.2.ip6.arpa .

Paul

Right, sorry got it backwards, couldn't the ISP also declare a CAA record at a lower level assuming they control the IP space....

 

> To view this discussion on the web visithttps://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38YV3OgykOCm-x-OR0_Fh8WXNG6g7gNvcUGo9vwG3bKtQ%40mail.gma
> il.com.
>
>

[passerby184]

if they didn't open RDNS clients wouldn't allowed to override it: although I would say that's working as intended, as wriiting a certificate for a year on dynamic IPs that may another person use few days later doesn't look like good idea.

2022년 12월 3일 토요일 오전 1시 59분 1초 UTC+9에 ku...@seifried.org님이 작성: