On Wed, 29 Nov 2017 22:37:08 +0000 Ben Laurie via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Presumably only for non-DNSSEC, actually? For DNSSEC, you have a clear > chain of responsibility for keys, and that is relatively easy to > build on. For DNSSEC a CA could (and I would hope that they do) collect enough records to show that the CAA result they relied on was authentic after the fact. It is in the nature of a distributed system like DNS that it would be possible that this was not the _only_ authentic result available on the network at the time of issuance, and the CA has no way to know of any other results that are inconsistent with issuance once they have one which is consistent. Of course the existence of contradictory authentic results SHOULD not be ordinarily the case for a well-managed domain but we know it happens, and it would be even more likely for test systems although they should have the know-how to control this. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy