[NCAP-Discuss] [Ext] Re: Draft final Study 1 report

Rubens Kuhl rubensk at nic.br
Wed Apr 29 22:31:42 UTC 2020 


> On 29 Apr 2020, at 17:31, Danny McPherson <danny at tcb.net> wrote:
> 
> On 2020-04-29 16:11, Rubens Kuhl wrote:
>> Anne,
>> Most of what you posted is more of the same and I'll just refer people
>> to my previous comments on them, available on both list archives. On
>> the man in the middle issue, this was already identified by SAC 057,
>> and had its most prominent threat vector mitigated by measures by both
>> the ICANN collision framework and CA/B Forum guidelines that now don't
>> allow certificates to not delegated TLDs. Other than that specific
>> threat vector, commonplace security measures in Internet applications
>> already handle man in the middle threats, regardless of being
>> collision-related or not.
> 
> SAC057 certainly helped some in the case of webPKI, but it has little to nothing to do with the entire class of attack vectors that are enable via service discovery protocols.

Although not all of them, a good part of service discovery I saw in the wild (while doing packet captures to diagnose issues not related to collisions) include underline (_), a character that is not allowed in domain registrations.
So most of them are already mitigated by default, and nevertheless covered by controlled interruption notification if the query reaches the CI servers. Of those 45+ protocols, how many of them use non-underline QNAMEs ?

The one I remember is WPAD, which is why WPAD is all our reserved lists, something that the New gTLD Applicant Group suggested (among other strings) during collision discussions. When your employer ends up delegating .web I hope wpad.web to be on such a reserved name list.

> 
> Further, that all assumes you think webPKI, where you're only as secure as the least secure certification authority in your application's truststore, is, err... secure.

WebPKI has been improved over the years with CAA and more stringent criteria to get in and decisive action to get out of trust stores, and while it's not perfect, it's a security baseline of what people seem to be willing to live with.


Rubens

> 
> 
> -danny

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ncap-discuss/attachments/20200429/759ac3d3/signature.asc>

More information about the NCAP-Discuss mailing list