On Mon, Mar 9, 2015 at 11:38 AM, Michael Ströder <mich...@stroeder.com> wrote:
> Ryan Sleevi wrote: > > Given that sites in consideration already have multiple existing ways to > > mitigate these threats (among them, Certificate Transparency, Public Key > > Pinning, and CAA), > > Any clients which already make use of CAA RRs in DNS? > > Or did you mean something else with the acronym CAA? > > Ciao, Michael. > > Sites can use CAA. But the checking is not meant to happen in the client as the client cannot know what the CAA records looked like when the cert was issued. A third party can check the CAA records for each new entry on a CT log however. And I bet that every CA that implements CAA will immediately start doing so in the hope of catching out their competitors. CAA also provides an extensible mechanism that could be used for more general key distribution if you were so inclined. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
