Currently, CAA identifiers and problem reporting information are
collected on a per-CA basis and published in the "CA Information
Report"[1].
However, externally-operated sub-CAs generally have their own CAA
identifiers and problem reporting information, and this information
is not currently collected. Would it be possible to collect this
information on a per-intermediate basis and to publish it in
the intermediate CA report[2]? There could also be "same as parent"
option, as with CPS/audit information.
Having this information readily available would make it possible
to build some useful tools such as:
1. Auto-generate a CAA policy for a domain based on certificates currently
logged to CT. (I want this for my CAA record generator[3].)
2. Monitor CT and make sure that issued certificates are compliant with
the domain's published CAA policy (modulo DNS changes between time-of-issue
and time-of-check).
3. Given a misissued certificate, display problem reporting
information. (Might be handy for misissued.com)
Regards,
Andrew
[1] https://ccadb-public.secure.force.com/mozilla/CAInformationReport
[2] https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts
[3] https://sslmate.com/labs/caa
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy