This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/members-discuss@ripe.net/
[members-discuss] Charging scheme 2025 proposal (logarithmic)
- Previous message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
- Next message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrey Korolyov
andrey at xdel.ru
Tue Apr 16 22:21:32 CEST 2024
On Tue, Apr 16, 2024 at 11:09 PM Kaj Niemi <kajtzu at basen.net> wrote: > > If you have a state actor with their own CA they can issue whatever Evil Certificate that they need although I guess it would leave some kind of trail. That does sound slightly inconvenient. Agree that it is more convenient to have someone else issuing them. Plausible deniability and all that. > > The browsers really don’t care which CA issues the certificate and CAA records aren’t checked by the browsers (by design, I think?) and HPKP is not used anymore either? > > How does paying for a DV or the green EV - I think browsers don’t show this anymore - Good Certificate help then? Besides spending 1000 or whatever and ending up with the Good Certificate? The state actor can still have a Evil Certificate issued by someone else and your browser will be just as happy seeing it as if it were your Good Certificate. > > I guess the issuing CA should check CAA but do they all do that? I've never added any CAA records anywhere and have over the years procured a few of certificates. So I'm guessing that also not a real option. > > How should this be fixed, in your opinion, considering the above? > I think that you are overestimating the cost of the attack in question, the article says 'state actor' but due to low cost and low complexity it is available to a lot of interested parties. Of course 'big' CAs could be easily subverted by the government, even explicitly preserving the original cert's attributes, but it's pretty much impossible for a datacenter technician or system administrator to violate the integrity of the 'big' CA as it is possible for them to violate integrity of the LE issuing chain, since it relies exclusively on a DNS record validity and ultimately on a traffic path to a relevant IP address.
- Previous message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
- Next message (by thread): [members-discuss] Charging scheme 2025 proposal (logarithmic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]