Re: [cabfpub] CAA checking: anecdotal reports?

Tue, 12 Sep 2017 10:39:37 -0700 

Here's some more data.  Attached is a complete list of all CAA records where 
we've rejected issuance. I think most of these are tests being run to verify 
DigiCert's CAA record checking (either CAAtestsuite or the Bear one). We have 
issued for cacerts.digicert.com as a domain, but we permit *.digicert.com 
right now as a valid CAA setting.  I think we also saw and permitted 
caa.digicert.com but that was before the 8th.

-----Original Message-----
From: Public [mailto:[email protected]] On Behalf Of Jeremy Rowley 
via Public
Sent: Monday, September 11, 2017 6:57 PM
To: Paul Hoffman <[email protected]>; CA/Browser Forum Public Discussion 
List <[email protected]>
Subject: Re: [cabfpub] CAA checking: anecdotal reports?

Some initial thoughts:

Attached is an image of what we're seeing on CAA record check times since it 
was fully implemented as a pre-issuance check back on the 5th.  Average delay 
caused by CAA checking is about 180 ms.

We have rejected 48 FQDNS because of CAA since Thursday, many of these are 
caatestsuite.com names.  Since Thursday, we've rejected between 3-17 domains a 
day based on CAA records. Again, each caatestsuite site is counted separately.

Jeremy


-----Original Message-----
From: Public [mailto:[email protected]] On Behalf Of Paul Hoffman 
via Public
Sent: Sunday, September 10, 2017 9:19 AM
To: CA/Browser Forum Public Discussion List <[email protected]>
Subject: [cabfpub] CAA checking: anecdotal reports?

Greetings. I'm interested in how CAA is working out for both the names and CA 
communities.

Is someone collecting anecdotal reports of certificate non-issuance due to CAA 
checking? I kind of imagine they fall into at least two buckets: "I really do 
own the name but don't know how that wrong CAA record got there" and "As a CA, 
we have seen X blocked attempts to use us to try to get certs that had CAA 
records from other vendors". I guess I'm also interested in "About X% of our 
renewals are names that have us correctly listed in a CAA record".

--Paul Hoffman
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public

Reply via email to