[dns-operations] Browser and CA enforcement of CAA records?

Viktor Dukhovni ietf-dane at dukhovni.org
Thu May 25 03:29:43 UTC 2017

> On May 24, 2017, at 10:26 PM, Paul Hoffman <phoffman at proper.com> wrote:
>>>   «it is possible
>>>   that a certificate that is not conformant with the CAA records
>>>   currently published was conformant with the CAA records published at
>>>   the time that the certificate was issued.  Relying Applications MUST
>>>   NOT use CAA records as part of certificate validation.»
>> -- https://tools.ietf.org/html/rfc6844#section-1
> I know; I helped write that text during the development of the spec. That doesn't mean that everyone is following it.

CAA is also difficult for a non-CA to follow, the party named in the
constraint has little resemblance the party one sees named in the issuer
DN of the certificate.  There RP would need a mapping table.  Also, such
mappings would need to be extensible to support intramural CAs, ...

It is not a simple matter of just "checking" the CAA.


More information about the dns-operations mailing list