[cabfpub] Continuing the discussion on CAA

Jody Cloutier jodycl at microsoft.com
Thu Oct 27 22:33:38 UTC 2016

Question: If a company has trusted roots, but it does not issue roots to the general public, would it still have to check the CAA database? 

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Andrew Ayer via Public
Sent: Tuesday, October 25, 2016 10:32 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org> wrote:

> "CAA records MAY be used by Certificate Evaluators as a possible
>    indicator of a security policy violation.  Such use SHOULD take
>    account of the possibility that published CAA records changed 
> between the time a certificate was issued and the time at which the
>    certificate was observed by the Certificate Evaluator."
> I know it says this, but I'm not sure how this would ever happen in 
> practice. That seems more like the role of CT over CAA.

CT finds certificates but doesn't tell you whether a certificate was authorized or not.  A CT monitor could check CAA records and raise an alarm if a certificate was issued by an unauthorized CA.

Public mailing list
Public at cabforum.org

More information about the Public mailing list