On Tue, Oct 18, 2016 at 12:01 PM, Jacob Hoffman-Andrews via Public <
public@cabforum.org> wrote:

> On Sat, Sep 10, 2016 at 10:42 PM, Eric Mill <eric.m...@gsa.gov> wrote:
>>
>> CAA could be a straightforward way for enterprises to set an actual
>> security policy that can be technically enforced, without the same level of
>> risk or technical sophistication required by HPKP.
>>
>
> To clarify a bit on this point: I think CAA doesn't work well as a way to
> enforce top-down enterprise policy in the presence of delegated subdomains,
> because CAA records are checked starting from the leftmost label, and only
> the first record found is considered: https://tools.ietf.org/html/
> rfc6844#section-4.
>
> For instance, say you have a CAA record on example.com forbidding all
> issuance, and have a CNAME from blog.example.com to a hosting provider.
> That hosting provider can answer CAA queries for blog.example.com with a
> response that permits issuance.
>

> CAA has a lot of value, but I think this is not one of the things it is
> useful for.
>

I agree it's not useful for the specific case you highlighted, but I don't
think it's correct to paint all of the situations Eric raised as fitting
that mold. So CAA absolutely is useful for that case - but if and only if
you structure it in a way you can express CAA. But some (many?) enterprises
can do that, and it is valuable for the level Eric highlights.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to