Hacker News new | ask | show | jobs
by m_sahaf 421 days ago
I always wonder who/what checks if CAs respect CAA. I know some browsers now check the certificate transparency log, but are there any that check the CAA record against the issuer of the certificate?
2 comments
agwa 421 days ago
No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.

Even if the semantics of CAA were changed, the challenges described in paragraph 3 of this post would apply: https://www.imperialviolet.org/2015/01/17/notdane.html

link
londons_explore 421 days ago
> No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.

could we change this? Ie. if the CAA record disappears, it would be a reason to revoke a certificate?

Then 3rd parties could scan transparency logs and CAA records and flag discrepancies.

link
mcpherrinm 420 days ago
It would be possible to change, though that would be a pretty big change.

Personally I think this is another good argument for short lived certificates and reducing reliance on revocation systems.

link
9dev 421 days ago
Wouldn’t that be an obvious quick win?
link