top | item 43740118 (no title) m_sahaf | 10 months ago I always wonder who/what checks if CAs respect CAA. I know some browsers now check the certificate transparency log, but are there any that check the CAA record against the issuer of the certificate? discuss order hn newest agwa|10 months ago No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.Even if the semantics of CAA were changed, the challenges described in paragraph 3 of this post would apply: https://www.imperialviolet.org/2015/01/17/notdane.html londons_explore|10 months ago > No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.could we change this? Ie. if the CAA record disappears, it would be a reason to revoke a certificate?Then 3rd parties could scan transparency logs and CAA records and flag discrepancies. load replies (1) 9dev|10 months ago Wouldn’t that be an obvious quick win?
agwa|10 months ago No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.Even if the semantics of CAA were changed, the challenges described in paragraph 3 of this post would apply: https://www.imperialviolet.org/2015/01/17/notdane.html londons_explore|10 months ago > No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.could we change this? Ie. if the CAA record disappears, it would be a reason to revoke a certificate?Then 3rd parties could scan transparency logs and CAA records and flag discrepancies. load replies (1)
londons_explore|10 months ago > No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.could we change this? Ie. if the CAA record disappears, it would be a reason to revoke a certificate?Then 3rd parties could scan transparency logs and CAA records and flag discrepancies. load replies (1)
agwa|10 months ago
Even if the semantics of CAA were changed, the challenges described in paragraph 3 of this post would apply: https://www.imperialviolet.org/2015/01/17/notdane.html
londons_explore|10 months ago
could we change this? Ie. if the CAA record disappears, it would be a reason to revoke a certificate?
Then 3rd parties could scan transparency logs and CAA records and flag discrepancies.
9dev|10 months ago