Frank Hecker: > Don't have time for a long response, but I do have one comment below. > > Eddy Nigg (StartCom Ltd.) wrote: > >> One can purchase a popular or less popular domain name, request a >> certificate for N years, let the domain name expire after one year, wait >> to have it picked up by somebody else. Now, this site can be spoofed at >> will and a MITM is possible (the very same thing Mozilla tries to >> prevent in first place). >> > > OK, I better understand what your concern is now. But note that this > scenario would not actually require the attacker to wait for a year. > They could simply use "domain tasting" to register a domain name, get a > cert for it, then hand back the domain after 5 days (or whatever it is) > for a refund. >
Of course, smart CAs also make some checking on the validity of the domain name, i.e. check the whois records accordingly. CAs have various tools to protect themselves and the relying parties. > So to the extent that this is a threat, it's really a threat against DV > certificates in general, even those with one year expirations. > > This is correct! But please read again what I posted: It is reasonable to assume that domain names have a period after expiration when they aren't sold, but held up for the original owner to be extended. It is also reasonable to believe, that even should a certificate have been issued at some time, *it will expire within a reasonable amount of time*. One can reasonable assume, that *after the passing of some time, no legitimate certificate does exist in the wrong hands.* A certificate with a lifetime of one year isn't an *ongoing threat of possibly ten years* to come. There is a huge difference! Supposed that a domain which was owned by someone else, isn't going to end up within a very short time in the hands of a different owner, nor that a sensitive web site (as for example with the startssl.com domain name) which would prove to be a worthy candidate for such an attack, is setup within a very short time, it is reasonable to assume that the limitation of a certificate to a life time to one year will sufficiently protect and prevent a MITM attack on said web site. My argument is with reasons and within accepted boundaries of domain validated certificates. Again, certificates with somewhat longer validity should be handled accordingly (with additional validations perhaps), but since domain validation is already the *lowest barrier* of entry, they should be controlled accordingly with a *reasonable limited validity*. Ten years is NOT reasonable! It borders on intent and gross negligence! -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
