[cabfpub] Revisiting CAA

Phillip Hallam-Baker philliph at comodo.com
Fri May 2 10:53:54 MST 2014

Gerv makes a good point. But I will point out that the reason the CAA spec says nothing about what the CA has to do in response to a 
non-compliant request is that the IETF is the wrong forum to discuss such issues.

What approaches are appropriate are going to depend on takeup by the domain name holders and what attacks we see. those will change 
over time. So CABForum is a better place to discuss such issues.

-----Original Message----- 
From: Gervase Markham
Sent: Friday, May 02, 2014 11:54 AM
To: kirk_hall at trendmicro.com ; Rick Andrews ; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

On 02/05/14 16:40, kirk_hall at trendmicro.com wrote:
> Can anyone identify one case -- even one -- of mis-issuance of a
> certificate by a CA that would have been prevented by CAA?  (I can't
> think of one.)

It depends how CAs implement CAA. If the CA implements CAA as, among
other things, a separate automated sanity check on all certificates,
just before they go out the door, using an isolated system - and certs
which fail have to be manually approved - then I can see it catching
several of the recent misissuances.

If the CA implements CAA as a printed warning on the certificate
issuance screen that the operator can choose to deal with or ignore, I
imagine it would catch fewer misissuances.

Public mailing list
Public at cabforum.org

More information about the Public mailing list