[cabfpub] Revisiting CAA

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri May 2 16:08:01 UTC 2014

A response to both Ryan and Gerv in this issue -- I'm not saying there have been no mis-issuance of certs -- we have Diginotar, plus some other earlier hacker issues.

I'm trying to find examples where someone said to a CA "Hey, you knowingly issued a cert for my domain (i.e., not a hacking case), and I didn't authorize it."  Even among the biggest fraud targets, like Google, etc.  Has that ever happened?

I don't think CAA will actually be useful in the cases where a CA is conducting vetting as required.  And f a CA isn't conducting vetting as required, the CA probably would not be prevented from issuing a cert because of CAA.  It seems like its biggest effect will to pose a barrier for customers from switching to a new CA (or from buying certs from multiple CAs).

If we can't think of any cases of mistaken intentional issuance by a CA, the case for CAA is pretty weak.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Friday, May 02, 2014 8:55 AM
To: Kirk Hall (RD-US); Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

On 02/05/14 16:40, kirk_hall at trendmicro.com wrote:
> Can anyone identify one case -- even one -- of mis-issuance of a 
> certificate by a CA that would have been prevented by CAA?  (I can't 
> think of one.)

It depends how CAs implement CAA. If the CA implements CAA as, among other things, a separate automated sanity check on all certificates, just before they go out the door, using an isolated system - and certs which fail have to be manually approved - then I can see it catching several of the recent misissuances.

If the CA implements CAA as a printed warning on the certificate issuance screen that the operator can choose to deal with or ignore, I imagine it would catch fewer misissuances.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list