[cabfpub] Continuing the discussion on CAA

Jacob Hoffman-Andrews jsha at letsencrypt.org
Tue Oct 18 19:01:40 UTC 2016


On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.mill at gsa.gov> wrote:
>
> CAA could be a straightforward way for enterprises to set an actual
> security policy that can be technically enforced, without the same level of
> risk or technical sophistication required by HPKP.
>

To clarify a bit on this point: I think CAA doesn't work well as a way to
enforce top-down enterprise policy in the presence of delegated subdomains,
because CAA records are checked starting from the leftmost label, and only
the first record found is considered:
https://tools.ietf.org/html/rfc6844#section-4.

For instance, say you have a CAA record on example.com forbidding all
issuance, and have a CNAME from blog.example.com to a hosting provider.
That hosting provider can answer CAA queries for blog.example.com with a
response that permits issuance.

CAA has a lot of value, but I think this is not one of the things it is
useful for.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161018/aee00c58/attachment-0003.html>


More information about the Public mailing list