Dear all, based on my CAA issuance experiments a month ago, I have repeated an extended set of experiments on CAA adherence by CAs: https://github.com/quirins/caa-test
Generally, I can confirm all tested CAs adhering to basic cases, and Comodo having patched their initial bug. Here is a summary of findings per test: Test 1) Signed zone, issue ; — 0/7 CAs issued Test 2) A DNSSEC-signed domain with timeouts on a restrictive CAA record — 3/7 CAs issued Test 3) A domain with the critical flag set, and an undefined CAA tag — 1/7 CAs issued Test 4) An unsigned domain with timeout on the CAA record — 6/7 CAs issued (which they are allowed to) Test 5) A domain with a CNAME pointing directly to a restrictive CAA record — 2/7 CAs issued Test 6) Errata 5065 / Ballot 214 test — CNAME pointing to target without CAA record, but restrictive CAA record at parent of CNAME target — 5/7 CAs issued (adopting the errata) I have filed individual mis-issuance bug reports under bugzilla NSS/Mis-Issuance [1]. My interpretation is that CAA is generally widely respected by CAs. The lookup failure on DNSSEC signed zones seems to require attention. Furthermore, there are occasional glitches happening, whose root causes are still under investigation. Kind regards Quirin [1] https://bugzilla.mozilla.org/buglist.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance&resolution=---&list_id=13836795
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
