[cabfpub] Continuing the discussion on CAA

Ryan Sleevi sleevi at google.com
Tue Oct 18 21:49:16 UTC 2016


On Tue, Oct 18, 2016 at 12:01 PM, Jacob Hoffman-Andrews via Public <
public at cabforum.org> wrote:

> On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.mill at gsa.gov> wrote:
>>
>> CAA could be a straightforward way for enterprises to set an actual
>> security policy that can be technically enforced, without the same level of
>> risk or technical sophistication required by HPKP.
>>
>
> To clarify a bit on this point: I think CAA doesn't work well as a way to
> enforce top-down enterprise policy in the presence of delegated subdomains,
> because CAA records are checked starting from the leftmost label, and only
> the first record found is considered: https://tools.ietf.org/html/
> rfc6844#section-4.
>
> For instance, say you have a CAA record on example.com forbidding all
> issuance, and have a CNAME from blog.example.com to a hosting provider.
> That hosting provider can answer CAA queries for blog.example.com with a
> response that permits issuance.
>

> CAA has a lot of value, but I think this is not one of the things it is
> useful for.
>

I agree it's not useful for the specific case you highlighted, but I don't
think it's correct to paint all of the situations Eric raised as fitting
that mold. So CAA absolutely is useful for that case - but if and only if
you structure it in a way you can express CAA. But some (many?) enterprises
can do that, and it is valuable for the level Eric highlights.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161018/18cdbde7/attachment-0003.html>


More information about the Public mailing list