[cabfpub] Continuing the discussion on CAA
Andrew Ayer
andrew at sslmate.com
Tue Oct 25 17:31:42 UTC 2016
On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org> wrote:
> "CAA records MAY be used by Certificate Evaluators as a possible
> indicator of a security policy violation. Such use SHOULD take
> account of the possibility that published CAA records changed
> between the time a certificate was issued and the time at which the
> certificate was observed by the Certificate Evaluator."
>
> I know it says this, but I'm not sure how this would ever happen in
> practice. That seems more like the role of CT over CAA.
CT finds certificates but doesn't tell you whether a certificate
was authorized or not. A CT monitor could check CAA records and raise
an alarm if a certificate was issued by an unauthorized CA.
Regards,
Andrew
More information about the Public
mailing list