From: Grant Taylor <gtaylor@gentoo.tnetconsulting.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Tue, 1 Jun 2021 19:51:06 -0600 [thread overview]
Message-ID: <5f29a4f8-a1a5-9f4a-1fe2-f06172da8e6b@spamtrap.tnetconsulting.net> (raw)
In-Reply-To: <e3af2cc757588b4599cc4e06308947b003cadfab.camel@gentoo.org>
On 6/1/21 3:38 PM, Michael Orlitzky wrote:
> *Any* CA can just generate a new key and sign the corresponding
> certificate.
This is where what can /technically/ be done diverges from what is
/allowed/ to be done.
CAs adhering to the CA/B Forum's requirements on CAA records mean that
they aren't allowed to issue a certificate for a domain that doesn't
list them in the CAA record.
If a CA violates the CAA record requirement, then the CA has bigger
issues and will be subject to distrusting in mass.
Certificate Transparency logs make it a lot easier to identify if such
shenanigans are done. -- I think that the CA/B Forum is also requiring
C.T. Logs.
Also, CAs /should/ *NOT* be generating keys. The keys should be
generated by the malicious party trying to pull the shenanigans that
you're talking about.
> All browsers will treat their fake certificate corresponding to the
> fake key on their fake web server as completely legitimate. The "real"
> original key that you generated has no special technical properties
> that distinguish it.
Not /all/ browsers. I know people that have run browser extensions to
validate the TLS certificate that they receive against records published
via DANE in DNS, which is protected by DNSSEC. So it's effectively
impossible for a rogue CA and malicious actor to violate that chain of
trust in a way that can't be detected and acted on.
--
Grant. . . .
unix || die
next prev parent reply other threads:[~2021-06-02 1:51 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-29 1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29 6:26 ` Walter Dnes
2021-06-01 4:45 ` J. Roeleveld
2021-06-01 5:15 ` William Kenworthy
2021-06-01 10:44 ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl
2021-06-01 11:17 ` J. Roeleveld
2021-06-01 11:40 ` Michael Orlitzky
2021-06-01 12:02 ` Peter Humphrey
2021-06-01 12:16 ` Michael Orlitzky
2021-06-01 12:24 ` Peter Humphrey
2021-06-01 13:22 ` Rich Freeman
2021-06-01 13:17 ` karl
2021-06-01 13:20 ` karl
2021-06-01 13:17 ` karl
2021-06-01 11:59 ` [gentoo-user] app-misc/ca-certificates Adam Carter
2021-06-01 13:29 ` Rich Freeman
2021-06-02 1:13 ` William Kenworthy
2021-06-03 9:06 ` Adam Carter
2021-06-01 21:25 ` Grant Taylor
2021-06-01 21:38 ` Michael Orlitzky
2021-06-02 1:51 ` Grant Taylor [this message]
2021-06-02 7:21 ` J. Roeleveld
2021-06-02 20:22 ` Grant Taylor
2021-06-02 7:48 ` Fannys
2021-06-02 20:23 ` Grant Taylor
2021-06-01 22:28 ` Fannys
2021-06-02 7:23 ` J. Roeleveld
2021-06-01 21:05 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5f29a4f8-a1a5-9f4a-1fe2-f06172da8e6b@spamtrap.tnetconsulting.net \
--to=gtaylor@gentoo.tnetconsulting.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox