Currently, CAA identifiers and problem reporting information are collected on a per-CA basis and published in the "CA Information Report"[1].
However, externally-operated sub-CAs generally have their own CAA identifiers and problem reporting information, and this information is not currently collected. Would it be possible to collect this information on a per-intermediate basis and to publish it in the intermediate CA report[2]? There could also be "same as parent" option, as with CPS/audit information. Having this information readily available would make it possible to build some useful tools such as: 1. Auto-generate a CAA policy for a domain based on certificates currently logged to CT. (I want this for my CAA record generator[3].) 2. Monitor CT and make sure that issued certificates are compliant with the domain's published CAA policy (modulo DNS changes between time-of-issue and time-of-check). 3. Given a misissued certificate, display problem reporting information. (Might be handy for misissued.com) Regards, Andrew [1] https://ccadb-public.secure.force.com/mozilla/CAInformationReport [2] https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts [3] https://sslmate.com/labs/caa _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
