Gentoo Archives: gentoo-user

From: Grant Taylor <gtaylor@×××××××××××××××××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Wed, 02 Jun 2021 01:51:04
In Reply to: Re: [gentoo-user] app-misc/ca-certificates by Michael Orlitzky
1 On 6/1/21 3:38 PM, Michael Orlitzky wrote:
2 > *Any* CA can just generate a new key and sign the corresponding
3 > certificate.
5 This is where what can /technically/ be done diverges from what is
6 /allowed/ to be done.
8 CAs adhering to the CA/B Forum's requirements on CAA records mean that
9 they aren't allowed to issue a certificate for a domain that doesn't
10 list them in the CAA record.
12 If a CA violates the CAA record requirement, then the CA has bigger
13 issues and will be subject to distrusting in mass.
15 Certificate Transparency logs make it a lot easier to identify if such
16 shenanigans are done. -- I think that the CA/B Forum is also requiring
17 C.T. Logs.
19 Also, CAs /should/ *NOT* be generating keys. The keys should be
20 generated by the malicious party trying to pull the shenanigans that
21 you're talking about.
23 > All browsers will treat their fake certificate corresponding to the
24 > fake key on their fake web server as completely legitimate. The "real"
25 > original key that you generated has no special technical properties
26 > that distinguish it.
28 Not /all/ browsers. I know people that have run browser extensions to
29 validate the TLS certificate that they receive against records published
30 via DANE in DNS, which is protected by DNSSEC. So it's effectively
31 impossible for a rogue CA and malicious actor to violate that chain of
32 trust in a way that can't be detected and acted on.
36 --
37 Grant. . . .
38 unix || die


Subject Author
Re: [gentoo-user] app-misc/ca-certificates "J. Roeleveld" <joost@××××××××.org>
Re: [gentoo-user] app-misc/ca-certificates Fannys <marinus.savoritias@×××××××.dev>