|
|
|
|
|
|
by westurner
487 days ago
|
|
|
It says "Proposed Standard" on the RFC; maybe that's why it's not widely implemented if that's the case? https://bettertls.com/ has Name Constraints implementation validation tests, but "Archived Results" doesn't seem to have recent versions of SSL clients listed? nameConstraints=critical,
DNS Certification Authority Authorization: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Au... :> Registrants publish a "CAA" Domain Name System (DNS) resource record which compliant certificate authorities check for before issuing digital certificates. And hopefully they require DNSSEC signatures and DoH/DoT/DoQ when querying for CAA records. |
|
|
I'm not sure why CAA is brought up here. I guess it is somewhat complementary in "reducing" the power of CAs, but it defends against good CAs misissuing stuff, not limiting the power of arbitrary CAs (as it's checked at issuance time, not at time of use).