Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Martin Rex <> Thu, 09 June 2011 02:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 896C221F84EE; Wed, 8 Jun 2011 19:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.235
X-Spam-Status: No, score=-9.235 tagged_above=-999 required=5 tests=[AWL=1.014, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KV8CRFiwzvA9; Wed, 8 Jun 2011 19:44:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C5BB121F84ED; Wed, 8 Jun 2011 19:44:24 -0700 (PDT)
Received: from by (26) with ESMTP id p592i87e028403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 9 Jun 2011 04:44:08 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Peter Gutmann)
Date: Thu, 9 Jun 2011 04:44:07 +0200 (MEST)
In-Reply-To: <> from "Peter Gutmann" at Jun 8, 11 06:56:23 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Jun 2011 02:44:25 -0000

Peter Gutmann wrote:
> Yoav Nir <> writes:
> > 
> > CAA works if all root CAs and affiliates follow it. That's hundreds or
> > thousands of entities. Any one of them that fails to comply might ignore
> > the CAA record.
> That was my problem with it, any CA (and/or RA) that's already diligent
> about cert issuance doesn't need CAA, and any one that isn't won't use
> it anyway, so it doesn't address any existing problem.

You're looking at CAA from the wrong angle.

CAA is _not_ for the RP, i.e. not for _you_ (and me, and most others ...)
It is only another means for a CA to detect attempts to subvert one of
its RAs, so it's primary purpose is CYA for large commercial CAs.

So a Server admin that has a CAA published is not really using it to
_protect_ clients.  It may reduce the likelyhood to get certs
mis-issued, though, and is therefore well in the ballpark of
what businesses are doing to protect against fraud (not protecting
against it, just make it remain under a certain fraud loss threshold).