[dns-operations] Browser and CA enforcement of CAA records?
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu May 25 03:29:43 UTC 2017
> On May 24, 2017, at 10:26 PM, Paul Hoffman <phoffman at proper.com> wrote:
>
>>> «it is possible
>>> that a certificate that is not conformant with the CAA records
>>> currently published was conformant with the CAA records published at
>>> the time that the certificate was issued. Relying Applications MUST
>>> NOT use CAA records as part of certificate validation.»
>>>
>> -- https://tools.ietf.org/html/rfc6844#section-1
>
> I know; I helped write that text during the development of the spec. That doesn't mean that everyone is following it.
CAA is also difficult for a non-CA to follow, the party named in the
constraint has little resemblance the party one sees named in the issuer
DN of the certificate. There RP would need a mapping table. Also, such
mappings would need to be extensible to support intramural CAs, ...
It is not a simple matter of just "checking" the CAA.
--
Viktor.
More information about the dns-operations
mailing list