Certificates with in-addr.arpa dNSNames

137 views
Skip to first unread message

Timothy Geiser

unread,
Apr 5, 2021, 12:54:15 PMApr 5
to dev-secur...@mozilla.org
In 2019 this list saw a mis-issuance as well (mis)use of the in-addr.arpa namespace for more than just PTR records, and certificates issued for those dNSNames: see
https://groups.google.com/g/mozilla.dev.security.policy/c/JFwqZx7RLL0/m/My83uQA5AAAJ
The CA/B Forum Validation mailing list also saw this in 2018: https://lists.cabforum.org/pipermail/validation/2018-February/000718.html
I haven't found any evidence of recent mis-issuance, but is there any reason to allow certificates covering the in-addr.arpa (or ip6.arpa) space in the first place?
Certs are still being issued in there: https://crt.sh/?dNSName=%25.in-addr.arpa&exclude=expired (and https://crt.sh/?dNSName=%25.ip6.arpa&exclude=expired ) shows mostly Cloudflare, but a few others. Was there any consensus the last
time this came up?

ASIDE: I tried posting a message to the CA/B Forum Validation list (valid...@cabforum.org) but got an auto-reply stating that the list is read-only unless you've signed their IPR agreement. If any of you are part of that please feel free to
forward this on to that list, or to any other relevant parties.

Thanks,
Tim Geiser

Ryan Sleevi

unread,
Apr 5, 2021, 1:29:15 PMApr 5
to Timothy Geiser, dev-secur...@mozilla.org
(Resending after a permissions snafu)

Hi Timothy,

In the CA/B Forum, this is tracked as https://github.com/cabforum/servercert/issues/153 , reflecting that there wasn't a firm consensus at the time, other than a need to tighten things up further.

To participate in the CA/B Forum, you can apply to join as an Interested Party. The website is in need of a revamp (the Infrastructure Subcommittee of the Forum is working on that), so I realize it's not entirely clear, but https://cabforum.org/email-lists/ or https://github.com/cabforum/servercert/blob/main/.github/contributing.md hopefully provide instructions for how to contribute (and this includes contributions on GitHub)

I already went through our outstanding CABF issues today, as the next major effort now that SC41 has been merged [1] is working on a "Cleanups and Clarifications" ballot for things not related to certificate profiles, while continuing work on certificate profiles [2] for those related to extensions/field contents.

This issue hasn't been dropped or forgotten; rather, the focus has been on trying to improve the agility of the CA/BF through tooling and clearer requirements, so that we can continue to address issues like this. If you're interested in helping, joining as an Interested Party is a great way to help contribute!

In the interim, it's totally something that Root Programs could choose to address via their policy. Although Mozilla just published their latest version of policy [3], you could always see if Mozilla would like to address it in a future update of their policy via [4].

Hope this helps!

Reply all
Reply to author
Forward
0 new messages