On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote: > On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy > wrote: > > This raised a question: > > How can CA prove they have done CAA checks or not at the time of issue? > > They can't, just as they can't prove they have or haven't done > domain-control validation. It's up to audits, external adversarial testing, > and the forthright honesty of CAs themselves to proactively report when they > have a problem, to identify when CAs have failed to maintain the necessary > standards. > > - Matt
Indeed. It would have been awesome if CAA had included returning a signed token containing the result of the check, but that would probably have been impossible to roll out on all of the world's DNS servers. Cheers, Mike _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy