On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.m...@gsa.gov> wrote:
>
> CAA could be a straightforward way for enterprises to set an actual
> security policy that can be technically enforced, without the same level of
> risk or technical sophistication required by HPKP.
>

To clarify a bit on this point: I think CAA doesn't work well as a way to
enforce top-down enterprise policy in the presence of delegated subdomains,
because CAA records are checked starting from the leftmost label, and only
the first record found is considered:
https://tools.ietf.org/html/rfc6844#section-4.

For instance, say you have a CAA record on example.com forbidding all
issuance, and have a CNAME from blog.example.com to a hosting provider.
That hosting provider can answer CAA queries for blog.example.com with a
response that permits issuance.

CAA has a lot of value, but I think this is not one of the things it is
useful for.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to