[liberationtech] How to protect users from compelled fake ssl certs?
Ralph Holz
holz at net.in.tum.de
Tue Jul 2 10:01:02 PDT 2013
> DANE: https://tools.ietf.org/html/rfc6698
> CAA: https://tools.ietf.org/html/rfc6844
>
> The difference is: (from the CAA-rfc)
>
> Like the TLSA record defined in DNS-Based Authentication of Named
> Entities (DANE) [RFC6698], CAA records are used as a part of a
> mechanism for checking PKIX certificate data. The distinction
> between the two specifications is that CAA records specify an
> authorization control to be performed by a certificate issuer before
> issue of a certificate and TLSA records specify a verification
> control to be performed by a relying party after the certificate is
> issued.
I wonder whether that would have protected against the Comodo Hacker. It
seems it depends when and from where the CAA checks are run. I don't
have better data here, but it seems the guy was able to directly trigger
the signing process. In that case, CAA would have been bypassed.
It's another reason I like DANE and CT better.
Ralph
--
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
More information about the liberationtech
mailing list