On Tue, Apr 14, 2015 at 8:09 AM, Kurt Roeckx <k...@roeckx.be> wrote: > On 2015-04-14 13:54, Rob Stradling wrote: >> >> On 14/04/15 12:38, Kurt Roeckx wrote: >>> >>> On 2015-04-14 01:15, Peter Kurrasch wrote: >>>> >>>> Let's use an example. Suppose CNNIC issues a cert for >>>> whitehouse[dot]gov and let's further suppose that CNNIC includes this >>>> cert in the CT data since they have agreed to do that. What happens >>>> next? >>> >>> >>> What I've been wondering about is whether we need a mechanism where the >>> CT log should approve the transition from one issuer to an other. >> >> >> Kurt, isn't CAA (RFC6844) the tool for this job? > > > I don't see everybody publishing that. Or do you want to make it a > requirement that everybody publishes such a record?
I think that it is from today that CAs are required to state whether they do CAA or not in their CPS. Anyone who does not implement CAA and then miss-issues just one cert that should have been caught is going to look exceptionally stupid. CAA tells CAs what they should not do CT tells everyone whether or not they did it. Those are the accountability controls. In addition, HSTS and HPKP provide access controls which are currently being distributed through the HTTP and pre-loaded lists and I have a proposal for publishing the exact same info through the DNS as CAA attributes. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
