> 2. An attack where CA B (mistakenly) issues a certificate for corp.example, > when it should have been CA A is called... ??? > I know it as Comodo-Gate.
(Your question almost identified an answer 😉 ) CAA (RFC6844, obsoleted by RFC8659), which was one good thing that came out of the Comodo-gate incident, helps to defend against exactly this sort of attack. (From the Abstract: "CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue"). If applicable CAA "issue" and/or "issuewild" records exist that authorize only "CA A" to issue, then I suppose we would describe issuance (mistakenly) by "CA B" as "unauthorized issuance". ________________________________ From: Michael Richardson <mcr+i...@sandelman.ca> Sent: 03 March 2025 22:26 To: uta@ietf.org <uta@ietf.org> Subject: [Uta] webpki anchors and comodo-gate-style attacks This Message Is From an External Sender This message came from outside your organization. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/J5K_pWsD!C4YX8AcVneM4axCAmXhdwHce6adA82NKjL8i6mzap6R78aPcQlZn4O65hqJzjA1difKB91yKV3Gbd8lo$> 1. How do I cite the CABFORUM WebPKI set of anchors. Does it have a clear name? (Because it's not identical on all platforms/browsers/libraries). 2. An attack where CA B (mistakenly) issues a certificate for corp.example, when it should have been CA A is called... ??? I know it as Comodo-Gate. https://urldefense.com/v3/__https://www.theregister.com/2011/03/30/comodo_gate_latest/__;!!J5K_pWsD!0qPpcZBug-8TtU6nZ9UL2rVuLz_2WVM-GzzY79TQ_LLab3dPktRiUVAmLpo1RWu0b79bYtoEq5q9xiYnTg$ But, is there a less name-branded name for this attack? (And what can I cite?) This is for a Security Considerations for anima-brski-cloud, where I would like to argue for minimizing the number of trust anchors shipped with devices. With the tradeoff against flexibility. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
