On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <[email protected]> wrote: > > CAA could be a straightforward way for enterprises to set an actual > security policy that can be technically enforced, without the same level of > risk or technical sophistication required by HPKP. >
To clarify a bit on this point: I think CAA doesn't work well as a way to enforce top-down enterprise policy in the presence of delegated subdomains, because CAA records are checked starting from the leftmost label, and only the first record found is considered: https://tools.ietf.org/html/rfc6844#section-4. For instance, say you have a CAA record on example.com forbidding all issuance, and have a CNAME from blog.example.com to a hosting provider. That hosting provider can answer CAA queries for blog.example.com with a response that permits issuance. CAA has a lot of value, but I think this is not one of the things it is useful for.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
