[cabfpub] CAA implementation advice

Gervase Markham gerv at mozilla.org
Thu Mar 9 15:20:49 UTC 2017


Now that the CAA ballot has passed, those CAs which have not already
done so will be considering an implementation plan.

May I offer a word of suggestion? The requirements in the CAA ballot are
designed such that CAA is almost always compulsory at time of issuance,
and those occasions where it is not (relating to CT and TCSCs) can be
checked programmatically rather than needing human input.

Therefore, I'd suggest it would be very wise for CAs to wire CAA into
their systems in a way which a) was not overrideable, and b) was hooked
up to some alarm bells and some significant, uncorruptible and
regularly-reviewed logging when an issuance is attempted and CAA stops it.

Doing both of these things may well save a CA which has had some sort of
security breach from misissuing certificates, and help them detect such
a breach far earlier than otherwise.

E.g. if this had been in place at Comodo when ComodoHacker was active
(when he got control of an insecure RA issuing account), his first
attempt to issue for "google.com" would have set off the alarm bells
immediately, and he would not have been able to dismiss or override the
error.

Of course, it is not for browsers or CABF motions to specify CA
behaviour to this level of specificity, but I wanted to make the case
for this sort of implementation as I believe it will strengthen the
security of the ecosystem. (And I must say I won't be impressed if I'm
investigating a misissuance, I say "what about CAA?", and the reply is
"well, the attacker just overrode that warning".)

Gerv


More information about the Public mailing list