CT and CAA
90 views
Skip to first unread message
Juergen Schmidt
Aug 31, 2017, 11:57:26 AM8/31/17
to certificate-transparency
Hello list
tldr: CT logs should log DNS CAA lookups. Do they? Or will they?
Long version:
As of September it becomes mandatory, that CAs check CAA entries before they sign a new certificate [1].
But right now there are virtually no consequences, if CAs ignore this. With CT a domain owner could become aware of fraudulent certificates (if he checks the logs). But to build a case against the CA he needs proof that his CAA record was existing, valid and available to the public at the the time the certificate was issued. My idea for this was: The ideal place for this would be a documented DNS query done by the CT log at the time the certificate was registered.
What do you think?
Maybe CT logs are already doing this. Do they? Any pointers?
Or are there plans to add this any time soon?
Am I missing something?
thanks in advance, ju
Patrick Figel
Aug 31, 2017, 1:51:15 PM8/31/17
to certificate-...@googlegroups.com
My first thought on this: How do you distinguish a "real" CAA
query/response from one produced by the CA? In other words, what's to
stop a CA or whoever compromised the CA from faking it?
For the vast majority of domains - namely everyone not using DNSSEC - I
see no practical way to verify that the response was actually produced
by the relevant name servers.
For domains with DNSSEC, you could verify that the response was signed
by the relevant key, but what's to stop the CA from claiming that the
key wasn't the one that was active at the time of issuance? I don't
think DNSSEC has a mechanism that gives you a verifiable view of the DS
record of a domain at some point in time in the past.
Ultimately, you're back to a claim that can't be easily verified by a
third-party and you'd have to rely on some kind of forensics (much as
you'd have to now.) I'll accept that showing forensic proof of such an
event would be easier with DNSSEC in place, but that's a high price to
pay in terms of complexity/implementation cost for a relatively small
number of domains.
query/response from one produced by the CA? In other words, what's to
stop a CA or whoever compromised the CA from faking it?
For the vast majority of domains - namely everyone not using DNSSEC - I
see no practical way to verify that the response was actually produced
by the relevant name servers.
For domains with DNSSEC, you could verify that the response was signed
by the relevant key, but what's to stop the CA from claiming that the
key wasn't the one that was active at the time of issuance? I don't
think DNSSEC has a mechanism that gives you a verifiable view of the DS
record of a domain at some point in time in the past.
Ultimately, you're back to a claim that can't be easily verified by a
third-party and you'd have to rely on some kind of forensics (much as
you'd have to now.) I'll accept that showing forensic proof of such an
event would be easier with DNSSEC in place, but that's a high price to
pay in terms of complexity/implementation cost for a relatively small
number of domains.
Juergen Schmidt
Sep 1, 2017, 8:31:49 AM9/1/17
to certificate-transparency
I argue, that an admin testifying that (s)he set up CAA before a certificate was issued and independent CT logs backing this claim, make a pretty strong case against any CA that ignores CAA.
And if CAs publicly state that they became victim of DNS poisoning attacks we have a pretty strong case for DNSSec - which is a win too.
bye, ju
Reply all
Reply to author
Forward
0 new messages