<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <div dir="ltr"> <div dir="ltr"><span style="font-size: inherit;">If you have a state actor with their own CA they can issue whatever Evil Certificate that they need although I guess it would leave some kind of trail. That does sound slightly inconvenient. Agree that it is more convenient to have someone else issuing them. Plausible deniability and all that.</span></div> <div dir="ltr"><span style="font-size: inherit;"><br> </span></div> <div dir="ltr"><span style="font-size: inherit;">The browsers really don’t care which CA issues the certificate and CAA records aren’t checked by the browsers (by design, I think?) and HPKP is not used anymore either?</span><br> </div> <div dir="ltr"><br> </div> <div dir="ltr">How does paying for a DV or the green EV - I think browsers don’t show this anymore - Good Certificate help then? Besides spending 1000 or whatever and ending up with the Good Certificate? The state actor can still have a Evil Certificate issued by someone else and your browser will be just as happy seeing it as if it were your Good Certificate.</div> <div dir="ltr"><br> </div> <div dir="ltr">I guess the issuing CA should check CAA but do they all do that? I've never added any CAA records anywhere and have over the years procured a few of certificates. So I'm guessing that also not a real option.</div> <div dir="ltr"><br> </div> <div dir="ltr"><span dir="ltr" style="text-decoration: none; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">How should this be fixed, in your opinion, considering the above?<span></span></span></div> <div dir="ltr"><span dir="ltr" style="text-decoration: none; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><br> </span></div> <div dir="ltr"><br> </div> <div id="ms-outlook-mobile-signature"> <div><br> </div> <div dir="ltr"> <div dir="ltr">Kaj</div> <div dir="ltr"><br> </div> <div dir="ltr">Sent from my iPad</div> <div dir="ltr"><br> </div> </div> </div> </div> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Andrey Korolyov <andrey@xdel.ru><br> <b>Sent:</b> Tuesday, April 16, 2024 10:44:53 PM<br> <b>To:</b> Kaj Niemi <kajtzu@basen.net><br> <b>Cc:</b> Petru Bunea <suport@bunea.eu>; Daniel Pearson <daniel@privatesystems.net>; members-discuss@ripe.net <members-discuss@ripe.net><br> <b>Subject:</b> Re: [members-discuss] Charging scheme 2025 proposal (logarithmic)</font> <div> </div> </div> <div class="BodyFragment"><font size="2"><span style="font-size:11pt;"> <div class="PlainText">[You don't often get email from andrey@xdel.ru. Learn why this is important at <a href="https://aka.ms/LearnAboutSenderIdentification">https://aka.ms/LearnAboutSenderIdentification</a> ]<br> <br> On Tue, Apr 16, 2024 at 10:30 PM Kaj Niemi <kajtzu@basen.net> wrote:<br> ><br> > Hi,<br> ><br> ><br> > Both RIPE and their CDN seem to use DNSSEC.<br> ><br> > Indeed, the CDN utilizes LE as the issuing CA. The LE does publish the list of issued certificates as part of Certificate Transparency, as far as I know the list is public and can be consumed by anyone.<br> ><br> > Is there some specific concern you're thinking of?<br> ><br> ><br> ><br> > Kaj<br> <br> Yes, there is a simple way for circumventing the issuing procedure of<br> LE certificates when an actor is able to act as man-in-the-middle, see<br> [1] for example. Theoretical assumptions of the same kind of attack<br> circulated around security-related communities since beginning of LE<br> deployment and it's quite strange to see the org with annual budget of<br> tens on M$ using zero-liability CA for the primary web resource.<br> <br> 1. <a href="https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate"> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftherecord.media%2Fjabber-ru-alleged-government-wiretap-expired-tls-certificate&data=05%7C02%7C%7Cd9f99cf886224ef283a108dc5e4db856%7Cd0b71c570f9b4acc923b81d0b26b55b3%7C0%7C0%7C638488935117222243%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4000%7C%7C%7C&sdata=If7ZCGnKBRvSCs5t%2Faw8RuEqF53HS391HmnKe4cyMzE%3D&reserved=0</a><br> </div> </span></font></div> </body> </html>