Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
m_sahaf 3 days ago

I always wonder who/what checks if CAs respect CAA. I know some browsers now check the certificate transparency log, but are there any that check the CAA record against the issuer of the certificate?

agwa 3 days ago | parent | next [-]

No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.

Even if the semantics of CAA were changed, the challenges described in paragraph 3 of this post would apply: https://www.imperialviolet.org/2015/01/17/notdane.html

londons_explore 3 days ago | parent [-]

> No, because the CAA record only has to be in place at the time of issuance, rather than the whole lifetime of the certificate.

could we change this? Ie. if the CAA record disappears, it would be a reason to revoke a certificate?

Then 3rd parties could scan transparency logs and CAA records and flag discrepancies.

mcpherrinm 3 days ago | parent [-]

It would be possible to change, though that would be a pretty big change.

Personally I think this is another good argument for short lived certificates and reducing reliance on revocation systems.

9dev 3 days ago | parent | prev [-]

Wouldn’t that be an obvious quick win?