[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Fri Oct 14 17:49:59 UTC 2016

On 14/10/16 18:32, Bruce Morton via Public wrote:
> I think that the CA can limit risk by checking CAA records where there
> has been no verified Enterprise RA or a Certificate Approver
> established. In this condition, I think that the CAA record check should
> be a hard fail.

How would you code that, in practice? What would the UX look like for
the validation specialist?

Any version of this where CAA is not a hard-coded non-overrideable hard
fail deprives CAs of the misissuance protection they could get when it
is. Imagine if, even if an attacker got control of your entire infra he
still couldn't issue for google.com, yahoo.com or other high profile
sites because of CAA. That would make the consequences of the compromise
significantly less bad for the internet, and therefore less bad for the
CA. Protection against malicious misissuance (as opposed to an employee
violating policy, say) is not the only benefit of CAA, but I think it's
a useful one.

Making mistakes with an organization's DNS can lead to all sorts of
types of outage or disruption. Why is the disruption caused by a
mistaken CAA record (which seems a fairly unlikely scenario to me, but
let's run with it) so much worse that it needs specially protecting against?

If an organization allows random employees to make unreviewed changes to
its DNS, surely it has bigger problems than not being able to get certs?


More information about the Public mailing list