← Back to context

Comment by likeabatterycar

2 days ago

> Our six-day certificates will not include OCSP or CRL URLs.

If someone else did this, Mozilla would be threatening to remove them from their trusted roots.

IP address certs sound like a security nightmare that could be subverted by BGP hijacking. Which is why most CAs don't issue them. Does accessing the ACME challenge from multiple endpoints adequately prevent this type of attack?

7 comments

likeabatterycar

Reply
dextercd  2 days ago

Not true. CA's are explicitly allowed to omit CRL support for certificates with a lifetime <= 10 days.

  • throw0101c  2 days ago

    > §1.6.1 Definitions

    > Short-lived Subscriber Certificate: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds).

    […]

    > §7.1.2.11.2 CRL Distribution Points

    > The CRL Distribution Points extension MUST be present in: Subordinate CA Certificates; and Subscriber Certificates that 1) do not qualify as “Short-lived Subscriber Certificates” and 2) do not include an Authority Information Access extension with an id-ad-ocspaccessMethod.

    * https://cabforum.org/working-groups/server/baseline-requirem...

    OCSP does not seem to be mandated in the latest Base Requirements.

crote  2 days ago

> IP address certs sound like a security nightmare that could be subverted by BGP hijacking.

The attack scenario is exactly the same as hostname certificates, which are often validated by HTTP or TLS ACME challenges.

> Does accessing the ACME challenge from multiple endpoints adequately prevent this type of attack?

Yes. You'd essentially have to MitM all traffic towards the IP for it to work, and with more and more networks rolling out BGP origin validation a global BGP hijack becomes harder and harder to pull off.

You'd still be in trouble if you expect your own ISP to be hostile, of course. Don't single-home with an ISP you don't trust, or stick with domain name certs and force DNS challenges.

  • hedora  2 days ago

    Given this weakness in ACME, I don't understand why cloud providers don't provide transparent 443 proxying by default. I guess it's security theater.

samcat116  2 days ago

I wonder if they could mandate that IP address certs could only be issued for IPs owned by an AS that has RPKI enabled.

  • EQYV  2 days ago

    Last I read, RPKI data gets stripped if it passes through an AS that doesn’t support it.. Has that changed?

    • NewJazz  2 days ago

      Uh, not that I know of. You typically run your own validator and configure your router to use it if you care.