[cabfpub] Continuing the discussion on CAA

Eneli Kirme Eneli.Kirme at sk.ee
Mon Oct 24 11:08:40 UTC 2016

Hi all,

Although we appreciate your concerns on protecting users from incapable CA-s, we’d like to point out that we as a small CA, fear a side-effect of it being an instrument for market manipulation.

Most of the concerns brought up here so far have been about corporations where there’s different admins for DNS, certificates, web content and whether this would create any trouble to them or risk to users.

But consider this scenario: a hypothetical CoolCA approaching a DNS service provider, be it an ISP, domain registrar or some kind of hosting provider, with a proposal to include a CAA record pointing to the CoolCA into their default configuration. Falling to it means that lots of small customers, who just want to set up a homepage or e-mail and who might not (yet) know anything about certificates, all of a sudden get a preferred choice of a CA. This cannot be considered an incorrect configuration, but nevertheless our first step with potential customers in a hard-fail scenario would then be to ask them to go to the DNS provider and request changing the CAA from our competitor to us and only then come back. This is definitely extra hassle to her, it might also be extra cost to her and it is us promoting our competitor.

Best regards,

Eneli Kirme
AS Sertifitseerimiskeskus (SK)

On 19 Oct 2016, at 00:49, Ryan Sleevi via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

On Tue, Oct 18, 2016 at 12:01 PM, Jacob Hoffman-Andrews via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.mill at gsa.gov<mailto:eric.mill at gsa.gov>> wrote:
CAA could be a straightforward way for enterprises to set an actual security policy that can be technically enforced, without the same level of risk or technical sophistication required by HPKP.

To clarify a bit on this point: I think CAA doesn't work well as a way to enforce top-down enterprise policy in the presence of delegated subdomains, because CAA records are checked starting from the leftmost label, and only the first record found is considered: https://tools.ietf.org/html/rfc6844#section-4.

For instance, say you have a CAA record on example.com<http://example.com/> forbidding all issuance, and have a CNAME from blog.example.com<http://blog.example.com/> to a hosting provider. That hosting provider can answer CAA queries for blog.example.com<http://blog.example.com/> with a response that permits issuance.

CAA has a lot of value, but I think this is not one of the things it is useful for.

I agree it's not useful for the specific case you highlighted, but I don't think it's correct to paint all of the situations Eric raised as fitting that mold. So CAA absolutely is useful for that case - but if and only if you structure it in a way you can express CAA. But some (many?) enterprises can do that, and it is valuable for the level Eric highlights.
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/653f529a/attachment-0003.html>

More information about the Public mailing list