CAA record is meant to be consumed by CA, not by end-users, thus it doesn't provide much protection.
O. -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Wed, Jul 26, 2017, at 01:01, James Bromberger wrote: > > > On 26/07/2017 6:20 AM, Adam Borowski wrote: > > https provides no protection against targetted attacks by government > > agents. > > The CA cartel model consists of 400+ CAs, many of them outright controlled > > by governments, most of the rest doing what they're told (no, warrants are > > are a story for nice kids). Clients in general trust _any_ CA, which means > > you're only as secure as the worst CA. Ie, https protects you against Joe > > Script Kiddie but not against a capable opponent. > > > > Except there are new-ish ways to limit the scope from 400+ CAs to just > the one you use. > c.f. > /Certification Authority Authorization/ (/CAA/) /DNS/ Resource > https://tools.ietf.org/html/rfc6844 > > ... if APT wishes to support this. > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature)
