[cabfpub] Revisiting CAA

Gervase Markham gerv at mozilla.org
Mon May 5 08:58:13 UTC 2014


On 02/05/14 17:08, kirk_hall at trendmicro.com wrote:
> I'm trying to find examples where someone said to a CA "Hey, you
> knowingly issued a cert for my domain (i.e., not a hacking case), and
> I didn't authorize it." 

You mean: are there an examples of a CA misissuing due to social
engineering or due to remote network compromise (DNS poisoning etc.)
rather than due to a CA infrastructure compromise?

CAA is not only useful in the latter cases - as noted by me, it depends
how you implement it. It's certainly possible to implement it in a way
which allows it to catch hacker misissuances. Of course, for some CAs
that would require significant re-engineering; for others, not.

Gerv



More information about the Public mailing list