This raised a question: How can CA prove they have done CAA checks or not at the time of issue?
在 2019年5月10日星期五 UTC+8上午10:05:36，Jeremy Rowley写道： > FYI, we posted this today: > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1550645 > > > > Basically we discovered an issue with our CAA record checking system. If the > system timed out, we would treat the failure as a DNS failure instead of an > internal failure. Per the BRs Section 3.2.2: > > "CAs are permitted to treat a record lookup failure as permission to issue > if: > > . the failure is outside the CA's infrastructure; > > . the lookup has been retried at least once; and > > . the domain's zone does not have a DNSSEC validation chain to the ICANN > root" > > > > The failure was not outside our infrastructure so issuance was improper. > > > > We checked all the applicable CAA records and found 16 where the CAA record > would not permit us to issue if we were issuing a new cert today. What we > are proposing is to revoke these certificates and reissue them (if they pass > all the proper checks). The rest would pass if we issued today so we were > going to leave these where they are while disclosing them to the Mozilla > community. > > > > Other suggestions are welcome. > > > > The issue was put into the code back when CAA record checking became > mandatory (Sept 2017). We generally have a peer review of our code so that > at least one other developer has looked at the system before release. In > this case, neither PM nor a second reviewer was involved in the development. > We've since implemented more stringent development processes, including > ensuring a PM reviews and brings questions about projects to the compliance > team. > > > > Anyway, let me know what questions, comments, etc you have. > > > > Thanks! > > Jeremy _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy