[cabfpub] Revisiting CAA

Gervase Markham gerv at mozilla.org
Fri May 2 15:54:48 UTC 2014


On 02/05/14 16:40, kirk_hall at trendmicro.com wrote:
> Can anyone identify one case -- even one -- of mis-issuance of a
> certificate by a CA that would have been prevented by CAA?  (I can't
> think of one.)

It depends how CAs implement CAA. If the CA implements CAA as, among
other things, a separate automated sanity check on all certificates,
just before they go out the door, using an isolated system - and certs
which fail have to be manually approved - then I can see it catching
several of the recent misissuances.

If the CA implements CAA as a printed warning on the certificate
issuance screen that the operator can choose to deal with or ignore, I
imagine it would catch fewer misissuances.

Gerv



More information about the Public mailing list