Is this an issue that we should address in CAA?<div><br></div><div>At the moment <a href="http://twitter.com">twitter.com</a> can say 'only issue certs for me if you are my authorized CA'.</div><div><br></div><div>
Do we want to go further there? Can we?</div><div><br></div><div><br></div><div>Should the owner of <a href="http://example.com">example.com</a> be able to state 'hey I am a very sensitive domain, you should hotlist me?'</div>
<div><br></div><div>This issue is easy to spot when we are talking about <a href="http://twitter.com">twitter.com</a>. Much harder when we are talking about <span class="Apple-style-span" style="font-family: sans-serif; font-size: 16px; line-height: 24px; background-color: rgb(255, 255, 255); "><a href="http://xn--wi99ciwisk.cn">xn--wi99ciwisk.cn</a></span></div>
<div><br>I am not sure that owning <a href="http://example.com">example.com</a> should allow someone to establish a prohibition issue of certs to example.com.**.com. But it might be something that public CAs should maybe throw up a manual processing flag for.<br>
<br><br><div class="gmail_quote">On Wed, Nov 9, 2011 at 10:06 AM, Daniel Kahn Gillmor <span dir="ltr"><<a href="mailto:dkg@fifthhorseman.net">dkg@fifthhorseman.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Wed, 09 Nov 2011 12:28:57 +0100, Matthias Hunstock <<a href="mailto:matthias.hunstock@tu-ilmenau.de">matthias.hunstock@tu-ilmenau.de</a>> wrote:<br>
> Am 09.11.2011 02:03, schrieb Daniel Kahn Gillmor:<br>
><br>
> > Matthias, you seem to be aware of the domain-scoped whitelisting policy<br>
> > by DFN. Do you know how .local fits in those policies?<br>
><br>
> It's very simple. The domain whitelist was introduced some time ago<br>
> (about 1.5 years ago I think), the "bad" certs you have in your data<br>
> should be older than that.<br>
<br>
</div>0 dkg@pip:~$ echo | openssl s_client -connect <a href="http://mail.leibniz-gemeinschaft.de:443" target="_blank">mail.leibniz-gemeinschaft.de:443</a> 2>/dev/null | openssl x509 -text -noout | grep -A3 Valid<br>
Validity<br>
Not Before: Nov 24 16:37:09 2009 GMT<br>
Not After : Nov 23 16:37:09 2014 GMT<br>
Subject: C=DE, O=DFN-Verein, OU=DFN-PKI, CN=<a href="http://webmail-berlin.leibniz-gemeinschaft.de" target="_blank">webmail-berlin.leibniz-gemeinschaft.de</a><br>
0 dkg@pip:~$<br>
<br>
Hmm, that's certainly the case for the one i was looking at. So we're<br>
about 2 years into a 5-year certificate lifetime that doesn't meet valid<br>
domain whitelist constraints.<br>
<br>
This isn't exactly comforting information, unfortunately :/<br>
<div class="im"><br>
> No, I did not pentest the filter. There is a PKI test instance, e.g. for<br>
> software developmnet, if that also has this filter (I only used it for<br>
> user certs by now) maybe I can play with that one.<br>
<br>
</div>That'd be an interesting data point.<br>
<div class="im"><br>
> Requesting a cert for <a href="http://twitter.com" target="_blank">twitter.com</a> would be an open violation of our CA<br>
> policy by me - I would rather avoid that :)<br>
<br>
</div>Understood. :) What about pentesting with a domain that the owner is<br>
willing to let you try to forge?<br>
<span class="HOEnZb"><font color="#888888"><br>
--dkg<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br><br>
</div>