On Thu, 30 Nov 2017, Wayne Thayer wrote: [cut CC: list, assuming we're all on the list]
- Subscribers already (or soon will) have CT logs and monitors available to detect mis-issued certs. They don't need CAA Transparency.
It's not for subscribers, but for CA's. Transparency is nice, but it does not _prevent_ misissue. The goal of CAA is to prevent misissue. We don't need a CAA Transparency log, because the only thing that needs logging is the DNSSEC chain of the CAA record or lack thereof at the time of issue. And only the issuing CA needs this information in case they need to defend that there was no CAA record preventing them from issuing at the time. Of course, you could still stuff it in some transparency log if you want, but it is pretty useless for endusers. Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy