On Mon, May 13, 2019 at 01:35:09AM -0700, Mike Kushner via dev-security-policy
wrote:
> On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote:
> > On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy
> > wrote:
> > > This raised a question:
> > > How can CA prove they have done CAA checks or not at the time of issue?
> >
> > They can't, just as they can't prove they have or haven't done
> > domain-control validation. It's up to audits, external adversarial testing,
> > and the forthright honesty of CAs themselves to proactively report when they
> > have a problem, to identify when CAs have failed to maintain the necessary
> > standards.
>
> Indeed. It would have been awesome if CAA had included returning a signed
> token containing the result of the check, but that would probably have
> been impossible to roll out on all of the world's DNS servers.
Yep, at that point you've basically rolled out DNSSEC, and if you've managed
to achieve *that* Herculean feat, sites can just publish identity data in
DNS and you don't need CAs at all.
- Matt
--
Sure, it's possible to write C in an object-oriented way. But, in practice,
getting an entire team to do that is like telling them to walk along a
straight line painted on the floor, with the lights off.
-- Tess Snider, slug-c...@slug.org.au
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
