Jakob Schlyter wrote:
>
> Marc Lampo <[email protected]> wrote:
> >
> > I can still inform my visitors which CA *I* chose for my real certicate.
> > But that seems to be the CAA RR, recently published ...
>
> The primary purpose of the CAA RR is to allow for CAs "to implement
> additional controls to reduce the risk of unintended certificate
> mis-issue" (quote from RFC 6844). Although it may be used for
> certificate evaluators (e.g. the browser) as well, that is not the
> primary purpose.
TLS clients, including browsers, MUST NOT look at DNS CAA records!!
Quoting from rfc6844:
Relying Applications MUST
NOT use CAA records as part of certificate validation.
The content of the CAA is information directed to CAs about permissible
issuers for _new_ certificates. They are not necessarily related to
the issuer of any currently used certificates, any may differ,
i.e. a Web Server might be currently using a certificate from
an issuer for which no CAA record exists, and TLS clients (Relying Parties)
MUST NOT check this during certificate path validation.
-Martin
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
