[cabfpub] Revisiting CAA
Gervase Markham
gerv at mozilla.org
Mon May 5 08:58:07 UTC 2014
On 03/05/14 17:28, kirk_hall at trendmicro.com wrote:
> CAA clearly is an impediment to competition among CAs, and imposes
> another administrative and engineering burden on cert issuance. And yet
> there are no real business rules around what to do with a contrary CAA
> result after completion of all vetting for a cert request (using a third
> party confirmed phone number to call “Google, Inc.,” checking WhoIs,
> etc. I can predict with confidence that many large organizations will
> lose track of who is maintaining the CAA records in various hosting
> locations, and how to make a change. The CAA record will then become
> inaccurate and out of date. Someone who is authorized to buy certs for
> a company then signs a deal with a new CA (at a better price and service
> level), but the contrary CAA record is found. Either the parties ignore
> the record as “something we’ll clean up later” or the deal is delayed or
> prevented because no one can get the CAA record updated. Either way,
> after proper vetting of a cert request by an organization the CAA record
> is not very useful.
This sounds like an argument that "CAA is not very useful when a site
wants to get its own certificates." Well, of course. It's most useful
when someone else wants to get them!
CAA is not DNI (Do Not Issue). CAs checking with a company and then
ignoring CAA records will happen, I'm sure. That doesn't mean CAA is
broken. It means that the request was, appropriately, treated with a
higher level of scrutiny.
Gerv
More information about the Public
mailing list