[cabfpub] Continuing the discussion on CAA
jodycl at microsoft.com
Thu Oct 27 15:33:38 MST 2016
Question: If a company has trusted roots, but it does not issue roots to the general public, would it still have to check the CAA database?
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Andrew Ayer via Public
Sent: Tuesday, October 25, 2016 10:32 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org> wrote:
> "CAA records MAY be used by Certificate Evaluators as a possible
> indicator of a security policy violation. Such use SHOULD take
> account of the possibility that published CAA records changed
> between the time a certificate was issued and the time at which the
> certificate was observed by the Certificate Evaluator."
> I know it says this, but I'm not sure how this would ever happen in
> practice. That seems more like the role of CT over CAA.
CT finds certificates but doesn't tell you whether a certificate was authorized or not. A CT monitor could check CAA records and raise an alarm if a certificate was issued by an unauthorized CA.
Public mailing list
Public at cabforum.org
More information about the Public