[cabfpub] Continuing the discussion on CAA
jsha at letsencrypt.org
Tue Oct 18 19:01:40 UTC 2016
On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.mill at gsa.gov> wrote:
> CAA could be a straightforward way for enterprises to set an actual
> security policy that can be technically enforced, without the same level of
> risk or technical sophistication required by HPKP.
To clarify a bit on this point: I think CAA doesn't work well as a way to
enforce top-down enterprise policy in the presence of delegated subdomains,
because CAA records are checked starting from the leftmost label, and only
the first record found is considered:
For instance, say you have a CAA record on example.com forbidding all
issuance, and have a CNAME from blog.example.com to a hosting provider.
That hosting provider can answer CAA queries for blog.example.com with a
response that permits issuance.
CAA has a lot of value, but I think this is not one of the things it is
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public