On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.m...@gsa.gov> wrote:
> CAA could be a straightforward way for enterprises to set an actual
> security policy that can be technically enforced, without the same level of
> risk or technical sophistication required by HPKP.

To clarify a bit on this point: I think CAA doesn't work well as a way to
enforce top-down enterprise policy in the presence of delegated subdomains,
because CAA records are checked starting from the leftmost label, and only
the first record found is considered:

For instance, say you have a CAA record on example.com forbidding all
issuance, and have a CNAME from blog.example.com to a hosting provider.
That hosting provider can answer CAA queries for blog.example.com with a
response that permits issuance.

CAA has a lot of value, but I think this is not one of the things it is
useful for.
Public mailing list

Reply via email to