| > Still doesn't make any sense to me. Whether a CA performs a DNS query in order to do domain validation via email, http or to check a CAA record doesn't matter. Brush up on CA cert issuance. You seem to be assuming that all CA's perform similar levels of due diligence before issuing certs. They don't, they differ widely. Some go much further than simply DNS validation. > I'm suggesting making CAA mandatory. For practical reasons, I am skeptical this will happen. Too many paying entities. In the spec/contract, the MUSTs will be lowered to SHOULDs. > The certificate would not have been issued in my example. IF the CA checked the CAA... > CAA would have probably prevented the mis-issuance. Exactly - "probably". > CAA is only fully effective if all CAs implement it (or in other words: if it becomes mandatory). 1) it won't happen. some CA's may/already-have implemented it but how is the browser/user to know which have and which haven't?
2) unclear that it is even fully effective > Again, you fail to demonstrate how this complexity does more harm than good.
art.
Introducing a new mechanism requires demonstration that the added complexity is worth the effort. And in this case, it is clear that unless everyone implements it, there is no added benefit. Added cost without benefit is a bad start |
You're missing my point. You're acting like adding yet another DNS query equals some massive increase in complexity. However, all certificate issuance requires DNS queries. I'm quite aware of other validation steps (like for OV and EV). These steps are performed on top of the domain validation steps I mentioned. I have never argued that those are the only steps.