I agree that CAA is much more comprehensive, and would achieve what you
describe. Just wanted to point out that there are already many safeguards in
place for many / most CAs to prevent accidental issuance of very high value
domains that would likely come before a CAA check, so we are not defenseless
today. But you are right, this hard-wired stop list would not reach or protect
all companies who put a CAA limit in their DNS record. I doubt that many of
these domains are targets of fraudsters compared to the highest level targets.
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, October 18, 2016 1:36 AM
To: Kirk Hall <kirk.h...@entrust.com>; email@example.com
Subject: Re: [cabfpub] Continuing the discussion on CAA
On 17/10/16 18:07, Kirk Hall via Public wrote:
> Gerv, one other point to consider is that many CAs already have hard
> stops that can't be easily overridden for the highest value names you
> listed ("Google or Yahoo or Microsoft" - or Mozilla), so a hard stop
> with CAA would never even be reached via automated requests for those
Indeed, I am aware of this. However, one problem with such a system is that the
domains chosen may well be culturally-conditioned and perhaps not updated often
- what are the key popular websites in Indonesia? Or Brazil? Or Turkey? And are
they the same ones that were important last year?
Still, it's very relevant that you point out this fact, because the point in a
CA's issuance process where this happens is exactly the point where I would
tell them to insert the CAA check.
In other words, instead of having a static list of high value names assembled
by the CA (which no-one seems to have a problem with, and all would say is best
practice), I am saying we should have a dynamic list of high value names
assembled by the domain owners, with membership of that list indicated by
setting a CAA record. And the effect on the CA's issuance process should be the
same "hard stop that can't be easily overridden" that you mention is now the
case for Google, Yahoo and Microsoft.
Public mailing list