|
|
|
|
|
|
by mmalone
2747 days ago
|
|
|
Hi, am author. Ah, yea, I know that CAs are supposed to check CAA before issuing and I do understand the security model. Figured browsers could/should too, but just dug a bit more and you’re right that CAA is explicitly not supposed to be checked by RPs. Conceptually I don’t see any major problem with using CAA for this purpose though, at least for your own internal PKI. The only potential issue is that if you change your CAA record your issued certs would break, so there’s an availability attack. I just found a reference to another standard called DANE that’s supposed to do this, but I don’t know anything about it. |
|
|