[cabfpub] CAA checking: anecdotal reports?

Jeremy Rowley jeremy.rowley at digicert.com
Tue Sep 12 17:38:47 UTC 2017 

Here's some more data.  Attached is a complete list of all CAA records where 
we've rejected issuance. I think most of these are tests being run to verify 
DigiCert's CAA record checking (either CAAtestsuite or the Bear one). We have 
issued for cacerts.digicert.com as a domain, but we permit *.digicert.com 
right now as a valid CAA setting.  I think we also saw and permitted 
caa.digicert.com but that was before the 8th.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley 
via Public
Sent: Monday, September 11, 2017 6:57 PM
To: Paul Hoffman <paul.hoffman at icann.org>; CA/Browser Forum Public Discussion 
List <public at cabforum.org>
Subject: Re: [cabfpub] CAA checking: anecdotal reports?

Some initial thoughts:

Attached is an image of what we're seeing on CAA record check times since it 
was fully implemented as a pre-issuance check back on the 5th.  Average delay 
caused by CAA checking is about 180 ms.

We have rejected 48 FQDNS because of CAA since Thursday, many of these are 
caatestsuite.com names.  Since Thursday, we've rejected between 3-17 domains a 
day based on CAA records. Again, each caatestsuite site is counted separately.

Jeremy


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Paul Hoffman 
via Public
Sent: Sunday, September 10, 2017 9:19 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [cabfpub] CAA checking: anecdotal reports?

Greetings. I'm interested in how CAA is working out for both the names and CA 
communities.

Is someone collecting anecdotal reports of certificate non-issuance due to CAA 
checking? I kind of imagine they fall into at least two buckets: "I really do 
own the name but don't know how that wrong CAA record got there" and "As a CA, 
we have seen X blocked attempts to use us to try to get certs that had CAA 
records from other vendors". I guess I'm also interested in "About X% of our 
renewals are names that have us correctly listed in a CAA record".

--Paul Hoffman
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CAA records.png
Type: image/png
Size: 101125 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170912/f099590c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170912/f099590c/attachment-0003.p7s>

More information about the Public mailing list