Re: CAA reporting support and tests?
On 26/09/17 00:03, Andrew wrote: > is that the reports should only be sent in a situation where a > certificate _would_ have been issued if not for the CAA records. I'd say that's right. I'd think that by far the more common use case would be internal policy enforcement at a company rather than detecting a 3rd party attacker. And given that it's often just "send an email", one hopes the iodef might not be too onerous for CAs to implement. I believe we scoped it down to only having to support http: and mailto:. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CAA reporting support and tests?
Has there been any serious discussion of the potential benefit of CAA reporting for certificate issuance attempts? I'm aware of what the spec says and the SHOULD language, etc... I'm not a CA and don't represent one. I do, however, think that it's easier to get buy-in for changes to CA infrastructure when there is a strong showing for cost/benefit relationship. In a post-CT world, issuances which occur will be easily detected quite promptly. I am unsure of the value of a report issuing for a failed issuance attempt. "Oh, yea, that wasn't me. Someone's looking to attack." How does that help? One should always assume that one is under attack. Perhaps it allows you to identify an internal party attempting to get a certificate issued and allows you to work with that party to correctly get a certificate issued, but wouldn't that legitimate inside party have reached out internally anyway when they encountered a problem? I'm just not sure I understand the point of the reporting in terms of deriving real security value. I think it behooves the community, in selecting items to advance for mandatory compliance within the CA space, to choose the requirements imposed carefully and with a view to deriving real objective security value. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
CAA reporting support and tests?
Hi, I was wondering how a CAA reporting endpoint should react and wanted to test it. However none of the CAs I tested seems to support reporting yet. Is anyone aware of a CA that does CAA reporting? (either via mail or https or both.) If no reporting on a live CA is in place is at least anyone aware of any kind of available test that is able to generate CAA reports? Also I'm wondering if there are any plans to have a requirement for CAA reporting support in the future. The cabforum ballot [1] says that reporting "SHOULD" be done. [1] https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/ -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy