What problem(s) are you trying to solve? - Subscribers already (or soon will) have CT logs and monitors available to detect mis-issued certs. They don't need CAA Transparency.
- This thread started as a discussion over possible mis-issuance that was determined to be false positives. As has been stated, without DNSSEC there is no such thing as a coherent view of DNS and Ryan described a legitimate example where a domain owner may consciously update CAA records briefly to permit issuance. It's unclear to me how CAA Transparency could solve this problem and thus provide a mechanism to confirm mis-issuance, if that is the goal. - The goal of reducing the risk of mis-issuance from well-behaved CAs who have bad or manipulated CAA data seems most worthwhile to me. To Ryan's point (I think), there may be better ways of achieving this one such as requiring CAs to "gossip" CAA records, or requiring CAA checks be performed from multiple network locations. Wayne On Thu, Nov 30, 2017 at 2:00 PM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I think there’s value in publicly logging things even if that isn’t the > basis for trust. So I disagree that what I wrote boils down to what I > didn’t write. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
