Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

Ralph Holz holz at net.in.tum.de
Tue Jul 2 10:01:02 PDT 2013


> DANE: https://tools.ietf.org/html/rfc6698
> CAA: https://tools.ietf.org/html/rfc6844
> 
> The difference is: (from the CAA-rfc)
> 
>    Like the TLSA record defined in DNS-Based Authentication of Named
>    Entities (DANE) [RFC6698], CAA records are used as a part of a
>    mechanism for checking PKIX certificate data.  The distinction
>    between the two specifications is that CAA records specify an
>    authorization control to be performed by a certificate issuer before
>    issue of a certificate and TLSA records specify a verification
>    control to be performed by a relying party after the certificate is
>    issued.

I wonder whether that would have protected against the Comodo Hacker. It
seems it depends when and from where the CAA checks are run. I don't
have better data here, but it seems the guy was able to directly trigger
the signing process. In that case, CAA would have been bypassed.

It's another reason I like DANE and CT better.

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF



More information about the liberationtech mailing list