On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy wrote: > This raised a question: > How can CA prove they have done CAA checks or not at the time of issue?
They can't, just as they can't prove they have or haven't done domain-control validation. It's up to audits, external adversarial testing, and the forthright honesty of CAs themselves to proactively report when they have a problem, to identify when CAs have failed to maintain the necessary standards. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy