Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
Requirement is a strong word. CAs implemented it incorrectly and browsers wouldn't enforce.
-
-
Root store programs could (by policy). Misbehaving CAs would get warned and eventually kicked out.
@mozilla could definitely do it. -
I was the person who argued on m.d.s.p. that Mozilla should enforce. They didn't.
End of conversation
New conversation -
-
-
A study of CAs from late last year tested 7 DV issuing CAs for CAA policy adherence. 0/7 issued for signed zones with wrong signature. 3/7 issued for signed zones with a full timeout on CAA query. As I understand it, those bugs were later fixed. https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/CAA%7Csort:date/mozilla.dev.security.policy/wbIAs--fslA/5QL8GvnPAAAJ …
-
I'm skeptical given the outcome of an earlier m.d.s.p. thread but I guess I'll need to test again to be sure.
End of conversation
New conversation -
-
-
As for browser enforcement, that would be inappropriate in CAA anyway. CAA was always specified as being relevant at time-of-issuance only, not that the records would or should continue to conform to the issued set of still valid certs.
-
Obviously, I meant policy enforcement, not technical.
-
Apologies. I have seen others suggest real time client side revalidation of CAA records versus presented certificate. Which would not be appropriate given the specific scope and nature of CAA as defined.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.