[cabfpub] Continuing the discussion on CAA

Jody Cloutier jodycl at microsoft.com
Thu Oct 27 15:46:47 MST 2016


I’m just trying to rationalize the security benefit of a company like Microsoft checking CAA on every certificate it issues when it’s never going to issue to a third party. The amount of work is high and there’s almost no return for that for us because we only issue certs to Microsoft and Microsoft properties like Azure and Office.

From: Richard Barnes [mailto:rbarnes at mozilla.com]
Sent: Thursday, October 27, 2016 3:45 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jody Cloutier <jodycl at microsoft.com>
Subject: Re: [cabfpub] Continuing the discussion on CAA



On Thu, Oct 27, 2016 at 6:33 PM, Jody Cloutier via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
Question: If a company has trusted roots, but it does not issue roots to the general public, would it still have to check the CAA database?

I assume you mean "issue certificates"?
I'm not sure what you mean by "not issuing to the general public", but I'm concerned about heading back toward the "internal names" exception that we killed not so long ago.
--Richard



-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Andrew Ayer via Public
Sent: Tuesday, October 25, 2016 10:32 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Continuing the discussion on CAA
On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

> "CAA records MAY be used by Certificate Evaluators as a possible
>    indicator of a security policy violation.  Such use SHOULD take
>    account of the possibility that published CAA records changed
> between the time a certificate was issued and the time at which the
>    certificate was observed by the Certificate Evaluator."
>
> I know it says this, but I'm not sure how this would ever happen in
> practice. That seems more like the role of CT over CAA.

CT finds certificates but doesn't tell you whether a certificate was authorized or not.  A CT monitor could check CAA records and raise an alarm if a certificate was issued by an unauthorized CA.

Regards,
Andrew
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161027/92851125/attachment.html>


More information about the Public mailing list