[cabfpub] Revisiting CAA

Jeremy Rowley jeremy.rowley at digicert.com
Fri May 2 16:24:05 UTC 2014

I would agree with Kirk if OV were used everywhere.  However, considering
how many requests for verification I receive from competitors for approval
of a DV cert, a domain holder can easily unintentionally authorize a
certificate, not realizing it is an attacker.  Use of CAA acts as an
authorization limiter to, hopefully, reduce the number of fake domain
verification requests a domain holder receives and reduce the likelihood of
an unintentional issuance.

Considering there isn't a revocation reason code for "accidentally approved
an attacker", I don't think you can find this information directly.
However, considering the size of certain CRLs, I don't think it's illogical
to conclude this probably happens. 


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Friday, May 2, 2014 10:08 AM
To: Gervase Markham; Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

A response to both Ryan and Gerv in this issue -- I'm not saying there have
been no mis-issuance of certs -- we have Diginotar, plus some other earlier
hacker issues.

I'm trying to find examples where someone said to a CA "Hey, you knowingly
issued a cert for my domain (i.e., not a hacking case), and I didn't
authorize it."  Even among the biggest fraud targets, like Google, etc.  Has
that ever happened?

I don't think CAA will actually be useful in the cases where a CA is
conducting vetting as required.  And f a CA isn't conducting vetting as
required, the CA probably would not be prevented from issuing a cert because
of CAA.  It seems like its biggest effect will to pose a barrier for
customers from switching to a new CA (or from buying certs from multiple

If we can't think of any cases of mistaken intentional issuance by a CA, the
case for CAA is pretty weak.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Friday, May 02, 2014 8:55 AM
To: Kirk Hall (RD-US); Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

On 02/05/14 16:40, kirk_hall at trendmicro.com wrote:
> Can anyone identify one case -- even one -- of mis-issuance of a 
> certificate by a CA that would have been prevented by CAA?  (I can't 
> think of one.)

It depends how CAs implement CAA. If the CA implements CAA as, among other
things, a separate automated sanity check on all certificates, just before
they go out the door, using an isolated system - and certs which fail have
to be manually approved - then I can see it catching several of the recent

If the CA implements CAA as a printed warning on the certificate issuance
screen that the operator can choose to deal with or ignore, I imagine it
would catch fewer misissuances.


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.
Public mailing list
Public at cabforum.org

More information about the Public mailing list