>
> The problem is that any CA can issue a certificate for a given domain name
> and all browsers will trust it. CT allows Paypal (just an example) to detect
> that some unexpected CA issued a cert for one of their domains. If CAA is
> used by the CA being hacked, their system should refuse to issue the cert to
> Paypal's domain. DANE or cert
When a CA is hacked I think we can safely assume that the 'system' can be
tricked into doing whatever the attacker wants it to do. Including overriding
CAA policy.
Leif
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
