- From: Ryan Sleevi <ryan-ietf@sleevi.com>
- Date: Thu, 8 Aug 2019 20:30:39 -0400
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Cc: Watson Ladd <watson@cloudflare.com>
- Message-ID: <CAErg=HE+iVKy6LwrJMEEZsXVeMvK45-9qXTG36A3AX1k36XMhQ@mail.gmail.com>
On Thu, Aug 8, 2019 at 7:47 PM Ryan Sleevi <ryan-ietf@sleevi.com> wrote: <Snip for everyone's benefit> > You might say this is news.example's fault, for not rejecting CDN 1's > certificate when it transitioned authority. This is BygoneSSL - and why I > mentioned revocation. I don't think we'd suggest that CDN 1 is necessarily > behaving adversarial - after all, news.example previously authorized them. > However, CDN 1 doesn't know that news.example now has a relationship with > CDN 2 (again, c.f. BygoneSSL), and thus doesn't know it should stop > advertising to serve news.example via CDN 1's connection. > > Does that resonate more? > I suppose it's worthwhile to highlight that the assumption about that 6.5 - and explicitly stated in 6.1 - is the omission of a DNS check prior to using the asserted identity. That's not something inherent to secondary-certs, but something it inherits from Section 1.1 / RFC 8336. If https://tools.ietf.org/html/draft-bishop-httpbis-origin-fed-up were to progress - such that a DNS check existed - then arguably the security concerns for 6.1 / 6.5 would disappear. Put differently, the security risk is not in secondary-certs; it's in secondary-certs + skipping DNS. The current draft indirectly depends on skipping DNS, but that's something that can change, in which case, I think some of the concerns highlighted would disappear. That's just not (yet?) in the current draft.
Received on Friday, 9 August 2019 00:31:14 UTC