On Wed, Jun 12, 2024 at 05:14:42PM -0700, Nick Harper wrote: > On Wed, Jun 12, 2024 at 3:17 AM Dennis Jackson <i...@dennis-jackson.uk> > wrote: > > > You can't argue that T.E. contains the functionality of > > certificate_authorities as a subset, then conclude that having additional > > functionalities makes it less risky. You would need to argue the exact > > opposite, that T.E. doesn't contain the bad functionalities of > > certificate_authorities. The risk associated with abuse of a feature is not > > in any way diluted by tacking on good use cases. > > For the abuse scenario, TE makes it no easier than certificate_authorities > (the size of advertising the single malicious CA isn't a concern, whereas > it is a problem when it's a browser's entire trust store that's > advertised), and TE adds additional deployment complexity compared to > certificate_authorities, which lessens the risk.
Furthermore, due to how TLS works, client advertising malicious CA is much bigger problem than server using malicious CA. In TLS 1.3, Active attacker must commit to an attack after Client Hello. - If attacker knows client "trusts" malicious CA, then attack has very low risk: Unless mTLS is used (which is very rare), the attack will be successful. - Trying to attack server using malicious CA has much higher risk: In addition to not using mTLS, the server must pick CA with compromised keys. If server picks something with good keys, the attack fails in noisy way. And in latter case, the attacker needs to coerce servers, which are much more numerous than clients (in terms of entities). -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
