[cabfpub] CAA checking: anecdotal reports?

[Jeremy Rowley]

Some initial thoughts:

Attached is an image of what we're seeing on CAA record check times since it 
was fully implemented as a pre-issuance check back on the 5th.  Average delay 
caused by CAA checking is about 180 ms.

We have rejected 48 FQDNS because of CAA since Thursday, many of these are 
caatestsuite.com names.  Since Thursday, we've rejected between 3-17 domains a 
day based on CAA records. Again, each caatestsuite site is counted separately.

Jeremy


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Paul Hoffman 
via Public
Sent: Sunday, September 10, 2017 9:19 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [cabfpub] CAA checking: anecdotal reports?

Greetings. I'm interested in how CAA is working out for both the names and CA 
communities.

Is someone collecting anecdotal reports of certificate non-issuance due to CAA 
checking? I kind of imagine they fall into at least two buckets: "I really do 
own the name but don't know how that wrong CAA record got there" and "As a CA, 
we have seen X blocked attempts to use us to try to get certs that had CAA 
records from other vendors". I guess I'm also interested in "About X% of our 
renewals are names that have us correctly listed in a CAA record".

--Paul Hoffman
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CAA record checking times.png
Type: image/png
Size: 30364 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170912/784a2999/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170912/784a2999/attachment-0003.p7s>