This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/members-discuss@ripe.net/
[members-discuss] Charging scheme 2025 proposal (logarithmic)
- Previous message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
- Next message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Kaj Niemi
kajtzu at basen.net
Tue Apr 16 22:09:22 CEST 2024
If you have a state actor with their own CA they can issue whatever Evil Certificate that they need although I guess it would leave some kind of trail. That does sound slightly inconvenient. Agree that it is more convenient to have someone else issuing them. Plausible deniability and all that. The browsers really don’t care which CA issues the certificate and CAA records aren’t checked by the browsers (by design, I think?) and HPKP is not used anymore either? How does paying for a DV or the green EV - I think browsers don’t show this anymore - Good Certificate help then? Besides spending 1000 or whatever and ending up with the Good Certificate? The state actor can still have a Evil Certificate issued by someone else and your browser will be just as happy seeing it as if it were your Good Certificate. I guess the issuing CA should check CAA but do they all do that? I've never added any CAA records anywhere and have over the years procured a few of certificates. So I'm guessing that also not a real option. How should this be fixed, in your opinion, considering the above? Kaj Sent from my iPad ________________________________ From: Andrey Korolyov <andrey at xdel.ru> Sent: Tuesday, April 16, 2024 10:44:53 PM To: Kaj Niemi <kajtzu at basen.net> Cc: Petru Bunea <suport at bunea.eu>; Daniel Pearson <daniel at privatesystems.net>; members-discuss at ripe.net <members-discuss at ripe.net> Subject: Re: [members-discuss] Charging scheme 2025 proposal (logarithmic) [You don't often get email from andrey at xdel.ru. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On Tue, Apr 16, 2024 at 10:30 PM Kaj Niemi <kajtzu at basen.net> wrote: > > Hi, > > > Both RIPE and their CDN seem to use DNSSEC. > > Indeed, the CDN utilizes LE as the issuing CA. The LE does publish the list of issued certificates as part of Certificate Transparency, as far as I know the list is public and can be consumed by anyone. > > Is there some specific concern you're thinking of? > > > > Kaj Yes, there is a simple way for circumventing the issuing procedure of LE certificates when an actor is able to act as man-in-the-middle, see [1] for example. Theoretical assumptions of the same kind of attack circulated around security-related communities since beginning of LE deployment and it's quite strange to see the org with annual budget of tens on M$ using zero-liability CA for the primary web resource. 1. https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftherecord.media%2Fjabber-ru-alleged-government-wiretap-expired-tls-certificate&data=05%7C02%7C%7Cd9f99cf886224ef283a108dc5e4db856%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638488935117222243%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=If7ZCGnKBRvSCs5t%2Faw8RuEqF53HS391HmnKe4cyMzE%3D&reserved=0<https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://www.ripe.net/ripe/mail/archives/members-discuss/attachments/20240416/921a484d/attachment.html>
- Previous message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
- Next message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]