[cabfpub] Revisiting CAA

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sat May 3 00:54:13 UTC 2014

Another concern we have with CAA (apart from the fact that it would not have avoided any known cases of certificate mis-issuance in the past) is that often in larger companies (the most typical fraud targets), the person who buys the certs is not the person who manages the DNS -- and often, the person who buys the certs doesn't even know who is managing the DNS.

Gerv -- at one point, you were going to conduct a test within Mozilla on this point -- how easy/hard was it to get CAA notations put in the proper DNS records, and how easy was it to coordinate the buyer(s) of certs for Mozilla with the various people in charge of the DNS for Mozilla's websites.  As I recall, you found it somewhat difficult to discover and coordinate the two groups.  Is that correct?

-----Original Message-----
From: Phillip Hallam-Baker [mailto:philliph at comodo.com] 
Sent: Friday, May 02, 2014 10:54 AM
To: Gervase Markham; Kirk Hall (RD-US); Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

Gerv makes a good point. But I will point out that the reason the CAA spec says nothing about what the CA has to do in response to a non-compliant request is that the IETF is the wrong forum to discuss such issues.

What approaches are appropriate are going to depend on takeup by the domain name holders and what attacks we see. those will change over time. So CABForum is a better place to discuss such issues.

-----Original Message-----
From: Gervase Markham
Sent: Friday, May 02, 2014 11:54 AM
To: kirk_hall at trendmicro.com ; Rick Andrews ; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

On 02/05/14 16:40, kirk_hall at trendmicro.com wrote:
> Can anyone identify one case -- even one -- of mis-issuance of a 
> certificate by a CA that would have been prevented by CAA?  (I can't 
> think of one.)

It depends how CAs implement CAA. If the CA implements CAA as, among other things, a separate automated sanity check on all certificates, just before they go out the door, using an isolated system - and certs which fail have to be manually approved - then I can see it catching several of the recent misissuances.

If the CA implements CAA as a printed warning on the certificate issuance screen that the operator can choose to deal with or ignore, I imagine it would catch fewer misissuances.

Public mailing list
Public at cabforum.org

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list