CAcert System Admins discussion list

[Daniel Black <daniel AT cacert.org>]

On Sat, 9 Aug 2008 09:32:44 pm IanG wrote:
> Huh?  CAcert cannot send email to ... CAcert email
> addresses?

> Is this the "Tunix firewalling????" 

yes

>
> (I'm trying to add the domain to my account

your trying to become authorive for @cacert.org? /me laughs and grumbles 
something about independence.

I'm assuming you mean getting a certificate for your 
iang AT cacert.org.

> ... something 
> that *could* be done automatically, as the authority for
> using that account is already within CAcert.)

it could, though there are bigger things to worry about than the issuing of a 
few certificates to our own organisation. Its covered in the 
https://wiki.cacert.org/wiki/CommunityEmail FAQ.

On Sun, 10 Aug 2008 02:50:13 am IanG wrote:
>
> What I want to know is *why* and *what* and *where*???
>
> The reason is this:  The certificates that are issued by
> CAcert are *critically* dependent on email.  If I can fiddle
> the mail, I can add any domain or email, and get a cert for it!

this requires more explaination. How and where are you fidding the email? Can 
you redirect an email elsewhere?

> So, anything that happens to email is a concern.  (To
> underscore this, note that DRC says that the email testing
> by CAcert is inadequate to audit, so the current situation
> must change.)
>
> So, whatever is happening to email, we need some doco, some
> policy, some understanding.  (And we need to fix the audit
> bugs.)

What is the audit critieria with respect to email?

> That's what I'm asking:  what is going on, how much can we
> rely on email,

Reasonably. I think. Though there are threat models (below) they are a lot of 
effort.

> who is poking around and greylisting and 
> blacklisting and goldlisting and whatever... ,

most email admins to some extent.

> and what does 
> this do to the security model surrounding certificates?

With greylisting this means that the email only gets attempted the first time 
(content isn't actually sent) and the second time it goes through. Normal 
time interval is about 5 minutes.

To exploit this you need a motivation to exploit a person to obtain a 
certificate for there person/domain. How can this be done via email? To get 
access to the account you need to answer the password reset questions, gain a 
certificate that is allowed to login, or know the password that was entered 
via a https site.

I'm going to keep going on the basis that I missed a mechainism to exploit 
this via email.

I don't think the effort to do this against a single person is sufficient so 
lets scale to The only way that I can think to do this is wholesale DNS 
spoofing the NS of .com. Alternately a passive interception of some pipes or 
some fidding with BGP routes.

All these threat models have are not affected by greylisted as they obtain 
the 
email 5 minutes  later rather anyway.

There are some business effects with a user not being able to see the status 
of a email when they have requested at a email verification or domain access 
or are they trying to assure a non-existent addresses.

-- 
Daniel Black 
(daniel AT cacert.org)
Email Administrator

Attachment: signature.asc
Description: This is a digitally signed message part.