Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

Ralph Holz holz at
Tue Jul 2 10:01:02 PDT 2013

> CAA:
> The difference is: (from the CAA-rfc)
>    Like the TLSA record defined in DNS-Based Authentication of Named
>    Entities (DANE) [RFC6698], CAA records are used as a part of a
>    mechanism for checking PKIX certificate data.  The distinction
>    between the two specifications is that CAA records specify an
>    authorization control to be performed by a certificate issuer before
>    issue of a certificate and TLSA records specify a verification
>    control to be performed by a relying party after the certificate is
>    issued.

I wonder whether that would have protected against the Comodo Hacker. It
seems it depends when and from where the CAA checks are run. I don't
have better data here, but it seems the guy was able to directly trigger
the signing process. In that case, CAA would have been bypassed.

It's another reason I like DANE and CT better.


Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
Phone +
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the liberationtech mailing list