Home » Gadgets » TLS certificates: Certification bodies must audit CAA records

TLS certificates: Certification bodies must audit CAA records

Monday, September 11th, 2017 | Gadgets

A new DNS record can help in some situations to avoid incorrectly issued TLS certificates. CAA or Certificate Authority Authorization is the new name server entry. A domain owner can define which certification authorities are allowed to issue certificates for the corresponding domain. However, some certification authorities still have it. Comodo, one of the largest certification bodies, CAA has not yet tested despite other promises.

The standard for CAA – RFC 6844 – was adopted in 2013. Up to now, it was not obligatory for certification bodies to stick to it. In the spring, the CA / Browser Forum had decided in a vote that CAA's review would be mandatory in the future. The deadline for this was September 8, 2017.
DNS records define permissible certification authority
For the CAA record type, three properties can be defined: issue, issuewild, and iodef. As a "issue" property one can specify a domain name defined by the CA, usually this is simply the domain name of the website of the respective certification authority. In the field "issuewild" you can specify separately who can issue wildcard certificates for the corresponding domain. If this property is not specified, the same value as for "issue" applies.
The iodef field allows you to define a reporting mechanism. Say: If a CA refuses to issue a certificate for the domain, it can send an error report to the owner. There you can specify either an HTTP or HTTPS URL or a mail address with prefixed "mailto:". For HTTP / HTTPS URLs, an error report is sent using a POST request. Sending error reports is, however, optional, and is not supported by most certification authorities.

An example of a corresponding zon file would look like this:

example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild ";"
example.com. IN CAA 0 iodef "mailto: [email protected]"

Here it is stipulated that only Let's Encrypt may issue certificates for the domain example.com. Wildcard certificates should not be issued at all, but the placeholder ";" inserted. Bug reports should, if supported, be mailed to [email protected]
CAA is a further building block to improve the system of TLS certificates. CAA is particularly helpful in providing an additional security mechanism in the event of possible errors in domain testing. For example, if a certification authority has a bug that triggers the domain validation, users who do not allow the issuing of other certification sites via CAA are not affected. Assuming, of course, that the CAA certification authority verifies correctly.
CAA does not provide protection against completely compromised or malicious CAs, since, of course, the prerequisite is that CAA is also tested. However, other mechanisms such as Certificate Transparency or HTTP Public Key Pinning can help against malicious certification authorities.

Related

Antivirus: Kaspersky withdraws cartel co

The security company Kaspersky wants to take all necessary steps to stop the

Rihanna Higher Lyrics

Rihanna Higher Lyrics Rihanna Higher Lyrics Vlogs John Mayer – Gravity View Rihanna

Michael van der Mark replaces Valentino

11. September 2017 – 12:03 At the age of 24, Michael van der

US Stock Exchange - Warren Buffett repor

The profit fell to 4.3 billion dollars. This was announced by the company