[cabfpub] Revisiting CAA

Gervase Markham gerv at mozilla.org
Mon May 5 08:58:07 UTC 2014

On 03/05/14 17:28, kirk_hall at trendmicro.com wrote:
> CAA clearly is an impediment to competition among CAs, and imposes
> another administrative and engineering burden on cert issuance.  And yet
> there are no real business rules around what to do with a contrary CAA
> result after completion of all vetting for a cert request (using a third
> party confirmed phone number to call “Google, Inc.,” checking WhoIs,
> etc.  I can predict with confidence that many large organizations will
> lose track of who is maintaining the CAA records in various hosting
> locations, and how to make a change.  The CAA record will then become
> inaccurate and out of date.  Someone who is authorized to buy certs for
> a company then signs a deal with a new CA (at a better price and service
> level), but the contrary CAA record is found.  Either the parties ignore
> the record as “something we’ll clean up later” or the deal is delayed or
> prevented because no one can get the CAA record updated.  Either way,
> after proper vetting of a cert request by an organization the CAA record
> is not very useful.

This sounds like an argument that "CAA is not very useful when a site
wants to get its own certificates." Well, of course. It's most useful
when someone else wants to get them!

CAA is not DNI (Do Not Issue). CAs checking with a company and then
ignoring CAA records will happen, I'm sure. That doesn't mean CAA is
broken. It means that the request was, appropriately, treated with a
higher level of scrutiny.


More information about the Public mailing list