On Thu, Nov 30, 2017 at 4:02 AM, Quirin Scheitle via dev-security-policy <
[email protected]> wrote:
> Similar to the GlobalSign discussion, it is well possible that the domain
> briefly disabled their CAA records when you did the check — and re-enabled
> them later.
>
I think that, as CAA deployment becomes common, this pattern will be
not-uncommon. I would hope we don't sound false alarms when it does.
This is pretty explicitly spelled out in the CAA RFC:
CAA records MAY be used by Certificate Evaluators as a possible
indicator of a security policy violation. Such use SHOULD take
account of the possibility that published CAA records changed between
the time a certificate was issued and the time at which the
certificate was observed by the Certificate Evaluator.
That said, the role of evaluators is less so in reporting to the CAs, but
as noted within the CAA RFC:
iodef <URL> : Specifies a URL to which an issuer MAY report
certificate issue requests that are inconsistent with the issuer's
Certification Practices or Certificate Policy, or that a
Certificate Evaluator may use to report observation of a possible
policy violation. The Incident Object Description Exchange Format
(IODEF) format is used [RFC5070].
This is because the only party who can ascertain intent unambiguously here
is the subscriber. Independent parties such as evaluators lack the context
both from the POV of the Applicant and the CA to identify misissuance, and
unless we (incorrectly, I would argue) want to require that CAA records be
'sticky' and 'globally observed' for some time before issuing a cert, then
this pattern will be a regular part of operation.
For example, an organization that wants to ensure that all certificates are
directed through a central purchasing team would, rather than place the
name of that CA in their CAA record (although they could), potentially
place themselves in their record, and then make the changes whenever they
need to renew, replace, or issue certificates - for the duration of the
issuance request.
I agree that it's early in the CAA deployment story, that we're likely to
see and continue to see bugs as CA's (finally, after years of discussion)
familiarize themselves with it and their implementation, and I agree, it's
unfortunate that some extent of these edge cases are not well tested or
testable. But I'm also wanting to make sure that we don't prematurely
increase the perceived cost of CAA such that it would rightfully make an
argument that the cost outweighs the benefits - from things like false
positive reporting.
Just my $.02
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
