[cabfpub] Continuing the discussion on CAA

Andrew Ayer andrew at sslmate.com
Tue Oct 25 17:31:42 UTC 2016

On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org> wrote:

> "CAA records MAY be used by Certificate Evaluators as a possible
>    indicator of a security policy violation.  Such use SHOULD take
>    account of the possibility that published CAA records changed
> between the time a certificate was issued and the time at which the
>    certificate was observed by the Certificate Evaluator."
> I know it says this, but I'm not sure how this would ever happen in
> practice. That seems more like the role of CT over CAA.

CT finds certificates but doesn't tell you whether a certificate
was authorized or not.  A CT monitor could check CAA records and raise
an alarm if a certificate was issued by an unauthorized CA.


More information about the Public mailing list