[Cryptography] New free TLS CA coming

Dave Howe davehowe.pentesting at gmail.com
Thu Nov 20 04:42:21 EST 2014

On 19/11/2014 18:16, Viktor Dukhovni wrote:
> Is it reasonable to infer control of the domain based an the ability
> to publish content at a chosen location on the domain's current website? 

It is reasonable to infer that most damage that can be done by abuse of
an issued certificate can be done by someone able to publish content at
an arbitrary location on the website, regardless of if they own that
domain or not.  Given how poor the checking for even EV is from certain
CAs, that's probably MORE secure than the process we have seen
erroneously issue certs in the last few years.

For https, that's probably good enough (although that doesn't of course
cover cases where a cert for the site could *also* be used for other
purposes perhaps the domain owner wouldn't approve of, but as those will
usually be something other than a web browser doing the trust
evaluation, you can possibly fix that by not including the root in those
other somethings)

> Should any HTTP site hosting provider be able to independently acquire
> new certificates for the domain?
Other solutions have similar considerations. If you look at something
like DANE, then you are inferring control over dns records equates to
ownership of the domain (slightly more reasonable, but only slightly;
many hosting providers also provide the control panel that manages dns
records, and the dns servers themselves) and methods that rely on email
to the technical contact or even webmaster/postmaster at the domain
aren't much better either.

More information about the cryptography mailing list