Has there been any serious discussion of the potential benefit of CAA reporting
for certificate issuance attempts?
I'm aware of what the spec says and the SHOULD language, etc...
I'm not a CA and don't represent one.
I do, however, think that it's easier to get buy-in for changes to CA
infrastructure when there is a strong showing for cost/benefit relationship.
In a post-CT world, issuances which occur will be easily detected quite
promptly.
I am unsure of the value of a report issuing for a failed issuance attempt.
"Oh, yea, that wasn't me. Someone's looking to attack." How does that help?
One should always assume that one is under attack. Perhaps it allows you to
identify an internal party attempting to get a certificate issued and allows
you to work with that party to correctly get a certificate issued, but wouldn't
that legitimate inside party have reached out internally anyway when they
encountered a problem?
I'm just not sure I understand the point of the reporting in terms of deriving
real security value.
I think it behooves the community, in selecting items to advance for mandatory
compliance within the CA space, to choose the requirements imposed carefully
and with a view to deriving real objective security value.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy