Cannabis Ruderalis

thcscience_admin
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Pred (talk | contribs)
Extended confirmed users
880 edits
m →‎Examples: Fix a link
94.134.178.238 (talk)
Fixed grammatical mistakes.
 
(133 intermediate revisions by 69 users not shown)
Line 1: Line 1:
{{Short description|Internet security policy mechanism}}
'''DNS Certification Authority Authorization''' ('''CAA''') uses the [[Internet]]'s [[Domain Name System]] to allow the holder of a domain to specify which [[certificate authorities]] (CAs) are allowed to issue certificates for that domain. This is not intended to support additional cross-checking at the client end of [[Transport Layer Security]] (TLS) connections (rather, [[DNS-based Authentication of Named Entities]] – DANE – is intended to be used for that purpose), but as a check for CAs to carry out as part of their issuance procedures. CAA records are intended to allow CAs to avoid mis-issuing certificates in some circumstances, while DANE records are intended to allow relying applications (TLS clients) to avoid relying on mis-issued certificates in some circumstances.<ref name=rfc6844>{{cite web|url=https://tools.ietf.org/html/rfc6844|title=RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record|publisher=Internet Engineering Task Force|author=P. Hallam-Baker and R. Stradling|date=January 2013}}</ref>
{{Good article}}
{{Use American English|date=January 2018}}
{{Use mdy dates|date=January 2018}}
{{Infobox technology standard
| status = [[Internet Standard#Proposed Standard|Proposed Standard]]
| first_published = {{Start date|2010|10|18}}
| version = {{IETF RFC|8659}}
| version_date = November 2019
| organization = [[Internet Engineering Task Force|IETF]]
| authors = {{Plainlist|
* [[Phillip Hallam-Baker]]
* Rob Stradling
* Jacob Hoffman-Andrews
}}
| abbreviation = CAA
}}
'''DNS Certification Authority Authorization''' ('''CAA''') is an [[Internet security]] policy mechanism that allows [[domain name]] holders to indicate to [[certificate authorities]] whether they are authorized to issue [[digital certificates]] for a particular [[domain name]]. It does this by means of a "CAA" [[Domain Name System]] (DNS) [[resource record]].


It was drafted by computer scientists [[Phillip Hallam-Baker]] and Rob Stradling in response to increasing concerns about the security of publicly trusted certificate authorities. It is an [[Internet Engineering Task Force]] (IETF) [[Internet Standard#Proposed Standard|proposed standard]].
DNS Certification Authority Authorization is specified by RFC 6844. It defines a new "CAA" DNS resource record type for name-value pairs that can carry a wide range of information to be used as part of the CA authorization process. It may also be possible for certificate evaluators to use CAA records to detect possible mis-issued certificates. However, the certificate evaluator should consider that the CAA records may have changed between the time the certificate was issued and the time the certificate is observed by the evaluator.<ref name=rfc6844 />


== Background ==
== Structure of CAA resource record ==
A [[Certificate authority#CA compromise|series of incorrectly issued certificates]] from 2001 onwards<ref name="feistyduck">{{Cite web|url=https://www.feistyduck.com/ssl-tls-and-pki-history/|title=SSL/TLS and PKI History|last=Ristić|first=Ivan|website=Feisty Duck|language=en|access-date=June 8, 2018}}</ref><ref name="arstechnica2011">{{Cite news|url=https://arstechnica.com/information-technology/2011/08/earlier-this-year-an-iranian/|title=Another fraudulent certificate raises the same old questions about certificate authorities|last=Bright|first=Peter|date=August 30, 2011|work=[[Ars Technica]]|access-date=February 10, 2018|language=en-us}}</ref> damaged trust in publicly trusted certificate authorities,<ref name="ruohonen2018">{{Cite journal|last=Ruohonen|first=Jukka|arxiv=1804.07604|title=An Empirical Survey on the Early Adoption of DNS Certification Authority Authorization|journal=Journal of Cyber Security Technology|year=2019|volume=3|issue=4|pages=205–218|doi=10.1080/23742917.2019.1632249|s2cid=5027899}}</ref> and accelerated work on various security mechanisms, including [[Certificate Transparency]] to track mis-issuance, [[HTTP Public Key Pinning]] and [[DNS-based Authentication of Named Entities|DANE]] to block mis-issued certificates on the [[client-side]], and CAA to block mis-issuance on the certificate authority side.<ref name="sigcomm2017" />


The first draft of CAA was written by [[Phillip Hallam-Baker]] and Rob Stradling, and submitted as an [[IETF Internet Draft]] in October 2010.<ref name="draft-hallambaker-donotissue-00">{{Cite IETF|title=DNS Certification Authority Authorization (CAA) Resource Record|draft=draft-hallambaker-donotissue-00|last1=Hallam-Baker|first1=Phillip|author-link1=Phillip Hallam-Baker|last2=Stradling|first2=Rob|date=October 18, 2010|publisher=[[Internet Engineering Task Force|IETF]]}}</ref> This was progressively improved by the [[X.509#PKIX Working Group|PKIX Working Group]],<ref name="draft-ietf-pkix-caa-00">{{Cite IETF|title=DNS Certification Authority Authorization (CAA) Resource Record|draft=draft-ietf-pkix-caa-00|last1=Hallam-Baker|first1=Phillip|author-link1=Phillip Hallam-Baker|last2=Stradling|first2=Rob|last3=Ben|first3=Laurie|author-link3=Ben Laurie|date=June 2, 2011|publisher=[[Internet Engineering Task Force|IETF]]}}</ref> and approved by the [[IESG]] as {{IETF RFC|6844}}, a [[Internet Standard#Proposed Standard|Proposed Standard]], in January 2013.<ref name="rfc6844">{{Cite IETF|title=DNS Certification Authority Authorization (CAA) Resource Record|rfc=6844|last1=Hallam-Baker|first1=Phillip|author-link1=Phillip Hallam-Baker|last2=Stradling|first2=Rob|date=January 2013|publisher=[[Internet Engineering Task Force|IETF]]|doi=10.17487/RFC6844|issn=2070-1721}}</ref> [[CA/Browser Forum]] discussion began shortly afterward,<ref name="sigcomm2017" /> and in March 2017 they voted in favor of making CAA implementation mandatory for all certificate authorities by September 2017.<ref name="cab2017">{{Cite web |last=Hall |first=Kirk |date=March 8, 2017 |title=Results on Ballot 187 - Make CAA Checking Mandatory |url=https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/ |access-date=January 7, 2018 |publisher=[[CA/Browser Forum]]}}</ref><ref name="globalsign2017">{{Cite web|url=https://www.globalsign.com/en/blog/what-is-certificate-authority-authorization-checking/|title=What is CAA (Certificate Authority Authorization)?|last=Beattie|first=Doug|date=August 22, 2017|website=[[GlobalSign]]|language=en|access-date=February 2, 2018}}</ref> At least one certificate authority, [[Comodo Group|Comodo]], failed to implement CAA before the deadline.<ref name="bleepingcomputer2017">{{Cite news|url=https://www.bleepingcomputer.com/news/security/comodo-caught-breaking-new-caa-standard-one-day-after-it-went-into-effect/|title=Comodo Caught Breaking New CAA Standard One Day After It Went Into Effect|last=Cimpanu|first=Catalin|date=September 11, 2017|work=[[Bleeping Computer]]|access-date=January 8, 2018|language=en}}</ref> A 2017 study by the [[Technical University of Munich]] found many instances where certificate authorities failed to correctly implement some part of the standard.<ref name="sigcomm2017">{{Cite journal|last1=Scheitle|first1=Quirin|last2=Chung|first2=Taejoong|last3=Hiller|first3=Jens|last4=Gasser|first4=Oliver|last5=Naab|first5=Johannes|last6=van Rijswijk-Deij|first6=Roland|last7=Hohlfeld|first7=Oliver|last8=Holz|first8=Ralph|last9=Choffnes|first9=Dave|last10=Alan|first10=Mislove|last11=Carle|first11=Georg|display-authors=2|date=April 2018|title=A First Look at Certification Authority Authorization (CAA)|url=https://ccronline.sigcomm.org/wp-content/uploads/2018/05/sigcomm-ccr-final163.pdf|journal=ACM SIGCOMM Computer Communication Review|volume=48|issue=2|pages=10–23|doi=10.1145/3213232.3213235|s2cid=13988123|issn=0146-4833}}</ref>
Each CAA resource record contains a flags byte and a property. The flags byte contains flags which can influence the interpretation of the record. The property consists of a "tag" which allows selection between several kinds of CAA record, and a "value" string whose meaning depends on the choice of tag.


In September 2017, Jacob Hoffman-Andrews submitted an Internet Draft intended to simplify the CAA standard. This was improved by the LAMPS Working Group, and approved as {{IETF RFC|8659}}, a Proposed Standard, in November 2019.<ref name="rfc8659">{{Cite IETF|title=DNS Certification Authority Authorization (CAA) Resource Record|rfc=8659|date=November 2019|publisher=[[Internet Engineering Task Force|IETF]]|doi=10.17487/RFC8659|issn=2070-1721}}</ref>
Currently one flag is defined: the ''issuer critical'' flag is represented by the most significant bit of the flag's byte. If the issuer-critical flag's value is 1 (that is, a flags byte equal to 128), this indicates that a CA which does not understand or does not implement the property tag in this record should refuse to issue a certificate for the domain.<ref name=rfc6844 /> This is similar to the way [[X.509#Structure of a certificate|critical extensions in X509 certificates]] work.


{{As of|2024|June}}, [[Qualys]] reports that still, only 15.4% of the 150,000 most popular [[Transport Layer Security|TLS]]-supporting websites use CAA records.<ref name="ssllabs">{{Cite web|url=https://www.ssllabs.com/ssl-pulse/|title=SSL Pulse|date=January 3, 2020|website=SSL Labs|publisher=[[Qualys]]|access-date=January 31, 2020}}</ref>
Besides the flag, three property tags are defined:


== Record ==
; issue : This property authorizes the holder of the domain specified in the "value" field to issue certificates for the domain for which the property is published.
Certificate authorities implementing CAA perform a [[Domain Name System|DNS]] lookup for CAA [[resource record]]s, and if any are found, ensure that they are listed as an authorized party before issuing a [[digital certificate]]. Each CAA resource record consists of the following components:<ref name="rfc8659" />
; issuewild : This property acts like ''issue'' but allows wildcard certificates.
; flag : A [[flag (computing)|flags byte]] which implements an [[extensible]] signaling system for future use. {{As of|2018}}, only the ''issuer critical'' flag has been defined, which instructs certificate authorities that they must understand the corresponding property tag before issuing a certificate.<ref name="rfc8659" /> This flag allows the protocol to be extended in the future with mandatory extensions,<ref name="sigcomm2017" /> similar to [[X.509#Structure of a certificate|critical extensions in X.509 certificates]].
; iodef : This property specifies a method for CAs to report to the domain holder when a certificate is issued. Not all CAs support this tag, so there is no guarantee that all certificate issuances will be reported.
; tag :One of the following property:
:; issue: This property authorizes the holder of the domain specified in associated property value to issue certificates for the domain for which the property is published.
:; issuewild :This property acts like ''issue'' but only authorizes the issuance of [[wildcard certificate]]s, and takes precedence over the ''issue'' property for wildcard certificate requests.
:; iodef : This property specifies a method for certificate authorities to report invalid certificate requests to the domain name holder using the [[Incident Object Description Exchange Format]]. {{As of|2018}}, not all certificate authorities support this tag, so there is no guarantee that all certificate issuances will be reported.
:; contactemail : Increasingly, contact information is not available in WHOIS due to concerns about potential GDPR violations. This property allows domain holders to publish contact information in DNS.<ref>{{Cite web|title=Public Key Infrastructure using X.509 (PKIX) Parameters|url=https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties|access-date=2020-08-22|website=www.iana.org}}</ref><ref>https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.3.pdf {{Bare URL PDF|date=March 2022}}</ref>
:; contactphone : As above, for phone numbers.<ref>{{Cite mailing list|url=https://archive.cabforum.org/pipermail/public/2019-January/014498.html|title=Ballot SC14: CAA Contact Property and Associated Phone Validation Methods|date=January 7, 2019|access-date=October 19, 2020|mailing-list=[[CA/Browser Forum]]|last=Beattie|first=Doug}}</ref>


; value: The value associated with the chosen property tag.
== Supporting servers ==


The lack of any CAA records authorizes normal unrestricted issuance, and the presence of a single blank ''issue'' tag disallows all issuance.<ref name="rfc8659" /><ref name="globalsign2017" /><ref name="symantec">{{Cite web|url=https://www.websecurity.symantec.com/security-topics/what-is-certificate-authority-authorization|archive-url=https://web.archive.org/web/20180108120352/https://www.websecurity.symantec.com/security-topics/what-is-certificate-authority-authorization|url-status=dead|archive-date=January 8, 2018|title=What is Certificate Authority Authorization (CAA)?|website=[[NortonLifeLock|Symantec]]|access-date=January 8, 2018}}</ref>
{{As of|2016}}, CAA records are supported in the [[BIND]] DNS server (as of version 9.10.1B),<ref>{{cite web|url=https://www.isc.org/blogs/certificate-authority-authorization-records/|title=Certificate Authority Authorization Records|publisher=Internet Systems Consortium|date=August 29, 2014|author=Vicky Risk}}</ref> the [[NSD]] authoritative DNS server (as of version 4.0.1),<ref>{{cite web|url=http://www.nlnetlabs.nl/projects/nsd/index.html#releases|title=NSD: Name Server Daemon Releases|publisher=NLNet Labs|date=January 27, 2014|author=NLNet Labs}}</ref> the [[Knot DNS]] server (since version 2.2.0).<ref>{{Cite web|url=https://lists.nic.cz/pipermail/knot-dns-users/2016-April/000853.html|title=[knot-dns-users] Knot DNS 2.2.0 release|last=Včelak|first=Jan|access-date=2016-04-26}}</ref> and [[PowerDNS]] (since version 4.0.0).<ref>{{cite web|url=https://doc.powerdns.com/md/types/|title=Supported Record Types|publisher=PowerDNS.com}}</ref>


Third parties monitoring certificate authority behavior might check newly issued certificates against the domain's CAA records. {{IETF RFC|8659}} states; CAA records MAY be used by Certificate Evaluators as a possible indicator of a security policy violation. Such use SHOULD take into account the possibility that published CAA records changed between the time a certificate was issued and the time at which the certificate was observed by the Certificate Evaluator.<ref name="rfc8659" />
== Mandatory checking ==


== Extensions ==
Originally the implementation of CAA was voluntary: CAs could decide whether they would check for the records or not. However, in March 2017 the CA/Browser Forum voted in favor of a rule that will make CAA mandatory for all certificate authorities.<ref>https://cabforum.org/pipermail/public/2017-March/009988.html</ref> Starting September 2017 all certificate authorities have to implement CAA checking.
{{IETF RFC|8657}} specifies <code>"accounturi"</code> and <code>"validationmethods"</code> parameters which allow users to specify desired methods of domain control validation as defined in [[Automated Certificate Management Environment|ACME protocol]]. For example, website administrators can bind a domain they control to a particular account registered with their desired Certification Authority.

=== History ===
A draft of the first extension to the CAA standard was published on October 26, 2016, proposing a new ''account-uri'' token to the end of the ''issue'' property, which ties a domain to a specific [[Automated Certificate Management Environment]] account.<ref name="draft-ietf-acme-caa-00">{{Cite IETF|title=CAA Record Extensions for Account URI and ACME Method Binding|draft=draft-ietf-acme-caa-00|last1=Landau|first1=Hugo|date=October 26, 2016|publisher=[[Internet Engineering Task Force|IETF]]}}</ref> This was amended on August 30, 2017, to also include a new ''validation-methods'' token, which ties a domain to a specific validation method,<ref name="draft-ietf-acme-caa-04">{{Cite IETF|title=CAA Record Extensions for Account URI and ACME Method Binding|draft=draft-ietf-acme-caa-04|last1=Landau|first1=Hugo|date=August 30, 2017|publisher=[[Internet Engineering Task Force|IETF]]}}</ref> and then further amended on June 21, 2018, to remove the hyphen in ''account-uri'' and ''validation-methods'' making them instead ''accounturi'' and ''validationmethods''.<ref name="draft-ietf-acme-caa-05">{{Cite IETF|title=CAA Record Extensions for Account URI and ACME Method Binding|draft=draft-ietf-acme-caa-05|last1=Landau|first1=Hugo|date=June 21, 2018|publisher=[[Internet Engineering Task Force|IETF]]}}</ref>


== Examples ==
== Examples ==
To indicate that only the certificate authority identified by ''ca.example.net'' is authorized to issue certificates for [[example.com]] and all subdomains, one may use this CAA record:<ref name="rfc8659" />
{{sxhl|2=zone|
example.com. IN CAA 0 issue "ca.example.net"
}}
To disallow any certificate issuance, one may allow issuance only to an empty issuer list:
{{sxhl|2=zone|
example.com. IN CAA 0 issue ";"
}}
To indicate that certificate authorities should report invalid certificate requests to an [[email address]] and a [[Real-time Inter-network Defense]] endpoint:


{{sxhl|2=zone|
In the following examples, assume that we want to control certificate issuance for the domain [[example.com]].
example.com. IN CAA 0 iodef "mailto:security@example.com"
example.com. IN CAA 0 iodef "http://iodef.example.com/"
}}


To use a future extension of the protocol, for example, one which defines a new ''future'' property, which needs to be understood by the certificate authority before they can safely proceed, one may set the ''issuer critical'' flag:
To signify that only the CA [[Let's Encrypt]] can issue certificates to the domain, as well as all of its subdomains, one may use the CAA record
{{sxhl|2=zone|
example.com. IN CAA 0 issue "ca.example.net"
example.com. IN CAA 128 future "value"
}}


== Incidents ==
example.com. IN CAA 0 issue "letsencrypt.org"
In 2017, Camerfirma was found to improperly validate CAA records. Camerfirma claimed to have misunderstood the [[CA/Browser Forum]] Baseline Requirements describing CAA validation.<ref>{{Cite web|title=CA:Camerfirma Issues - MozillaWiki|url=https://wiki.mozilla.org/CA:Camerfirma_Issues#Issue_F:_Ignoring_CAA_based_on_another_CA.27s_Certificate_Transparency_disclosure_.28Nov._2017.29|access-date=2021-04-27|website=wiki.mozilla.org}}</ref><ref name="sigcomm2017" />


In early 2020, [[Let's Encrypt]] disclosed that their software improperly queried and validated CAA records potentially affecting over 3 million certificates.<ref>{{Cite web|last=Claburn|first=Thomas|date=3 March 2020|title=Let's Encrypt? Let's revoke 3 million HTTPS certificates on Wednesday, more like: Check code loop blunder strikes|url=https://www.theregister.com/2020/03/03/lets_encrypt_cert_revocation/|url-status=live|access-date=2021-04-27|website=www.theregister.com|language=en|archive-url=https://web.archive.org/web/20200531124914/https://www.theregister.com/2020/03/03/lets_encrypt_cert_revocation/ |archive-date=May 31, 2020 }}</ref> Let's Encrypt worked with customers and site operators to replace over 1.7 million certificates, but decided not to revoke the rest to avoid client downtime and since the affected certificates would all expire in less than 90 days.<ref>{{Cite magazine|last=Barrett|first=Brian|date=3 March 2020|title=The Internet Avoided a Minor Disaster Last Week|language=en-US|magazine=Wired|url=https://www.wired.com/story/lets-encrypt-internet-calamity-that-wasnt/|access-date=2021-04-27|issn=1059-1028}}</ref>
To disallow issuance for a specific subdomain, nocerts.example.com, one would allow issuance only to the empty issuer list,

<pre>
nocerts.example.com. IN CAA 0 issue ";"
</pre>

In this case, in a request to issue a certificate to nocerts.example.com, the relevant CA will stop its search for RAA records at the subdomain. To signify that the CA may report certificate issues or policy violations by email to caa@example.com, or through [[Real-time Inter-network Defense|RID messages]] to caa.example.com, the iodef property may be applied as follows:

<pre>
nocerts.example.com. IN CAA 0 issue ";"
nocerts.example.com. IN CAA 0 iodef "mailto:caa@example.com"
nocerts.example.com. IN CAA 0 iodef "https://caa.example.com"
</pre>

If, in the original example, we would like to allow issuance to specific domains, but disallow issuance of any wildcard certificates, the issuewild property may be applied:

<pre>
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild ";"
</pre>

The critical flag is intended for usage when future inclusions of new properties may impact issuance. If, for example, a future version of CAA would include the tag "future", then the record set

<pre>
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 128 future "Some value"
</pre>

would result in no issuance, if the CA does not know how to parse the record, for instance if it has not yet updated its parsing engine to the new version.

== References ==
{{reflist}}


== See also ==
== See also ==
* [[Certificate authority#CA compromise|Certificate authority compromise]]
* [[Certificate Transparency]]
* [[DNS-based Authentication of Named Entities]]
* [[DNS-based Authentication of Named Entities]]
* [[HTTP Public Key Pinning]]
* [[HTTP Public Key Pinning]]
* [[List of DNS record types]]
* [[List of DNS record types]]

== References ==
{{Reflist}}

== External links ==
* {{IETF RFC|8659}}
* [https://ccadb-public.secure.force.com/ccadb/AllCAAIdentifiersReport List of CA identifiers for use in CAA records] at Common CA Database


{{SSL/TLS}}
{{SSL/TLS}}


[[Category:Transport Layer Security]]
[[Category:Transport Layer Security]]
[[Category:Domain name system]]
[[Category:Domain Name System]]

Latest revision as of 06:57, 25 June 2024

DNS Certification Authority Authorization
AbbreviationCAA
StatusProposed Standard
First publishedOctober 18, 2010 (2010-10-18)
Latest versionRFC 8659
November 2019
OrganizationIETF
Authors

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism that allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a "CAA" Domain Name System (DNS) resource record.

It was drafted by computer scientists Phillip Hallam-Baker and Rob Stradling in response to increasing concerns about the security of publicly trusted certificate authorities. It is an Internet Engineering Task Force (IETF) proposed standard.

Background[edit]

A series of incorrectly issued certificates from 2001 onwards[1][2] damaged trust in publicly trusted certificate authorities,[3] and accelerated work on various security mechanisms, including Certificate Transparency to track mis-issuance, HTTP Public Key Pinning and DANE to block mis-issued certificates on the client-side, and CAA to block mis-issuance on the certificate authority side.[4]

The first draft of CAA was written by Phillip Hallam-Baker and Rob Stradling, and submitted as an IETF Internet Draft in October 2010.[5] This was progressively improved by the PKIX Working Group,[6] and approved by the IESG as RFC 6844, a Proposed Standard, in January 2013.[7] CA/Browser Forum discussion began shortly afterward,[4] and in March 2017 they voted in favor of making CAA implementation mandatory for all certificate authorities by September 2017.[8][9] At least one certificate authority, Comodo, failed to implement CAA before the deadline.[10] A 2017 study by the Technical University of Munich found many instances where certificate authorities failed to correctly implement some part of the standard.[4]

In September 2017, Jacob Hoffman-Andrews submitted an Internet Draft intended to simplify the CAA standard. This was improved by the LAMPS Working Group, and approved as RFC 8659, a Proposed Standard, in November 2019.[11]

As of June 2024, Qualys reports that still, only 15.4% of the 150,000 most popular TLS-supporting websites use CAA records.[12]

Record[edit]

Certificate authorities implementing CAA perform a DNS lookup for CAA resource records, and if any are found, ensure that they are listed as an authorized party before issuing a digital certificate. Each CAA resource record consists of the following components:[11]

flag
A flags byte which implements an extensible signaling system for future use. As of 2018, only the issuer critical flag has been defined, which instructs certificate authorities that they must understand the corresponding property tag before issuing a certificate.[11] This flag allows the protocol to be extended in the future with mandatory extensions,[4] similar to critical extensions in X.509 certificates.
tag
One of the following property:
issue
This property authorizes the holder of the domain specified in associated property value to issue certificates for the domain for which the property is published.
issuewild
This property acts like issue but only authorizes the issuance of wildcard certificates, and takes precedence over the issue property for wildcard certificate requests.
iodef
This property specifies a method for certificate authorities to report invalid certificate requests to the domain name holder using the Incident Object Description Exchange Format. As of 2018, not all certificate authorities support this tag, so there is no guarantee that all certificate issuances will be reported.
contactemail
Increasingly, contact information is not available in WHOIS due to concerns about potential GDPR violations. This property allows domain holders to publish contact information in DNS.[13][14]
contactphone
As above, for phone numbers.[15]
value
The value associated with the chosen property tag.

The lack of any CAA records authorizes normal unrestricted issuance, and the presence of a single blank issue tag disallows all issuance.[11][9][16]

Third parties monitoring certificate authority behavior might check newly issued certificates against the domain's CAA records. RFC 8659 states; CAA records MAY be used by Certificate Evaluators as a possible indicator of a security policy violation. Such use SHOULD take into account the possibility that published CAA records changed between the time a certificate was issued and the time at which the certificate was observed by the Certificate Evaluator.[11]

Extensions[edit]

RFC 8657 specifies "accounturi" and "validationmethods" parameters which allow users to specify desired methods of domain control validation as defined in ACME protocol. For example, website administrators can bind a domain they control to a particular account registered with their desired Certification Authority.

History[edit]

A draft of the first extension to the CAA standard was published on October 26, 2016, proposing a new account-uri token to the end of the issue property, which ties a domain to a specific Automated Certificate Management Environment account.[17] This was amended on August 30, 2017, to also include a new validation-methods token, which ties a domain to a specific validation method,[18] and then further amended on June 21, 2018, to remove the hyphen in account-uri and validation-methods making them instead accounturi and validationmethods.[19]

Examples[edit]

To indicate that only the certificate authority identified by ca.example.net is authorized to issue certificates for example.com and all subdomains, one may use this CAA record:[11] 

example.com.  IN  CAA 0 issue "ca.example.net"

To disallow any certificate issuance, one may allow issuance only to an empty issuer list: 

example.com.  IN  CAA  0 issue ";"

To indicate that certificate authorities should report invalid certificate requests to an email address and a Real-time Inter-network Defense endpoint: 

example.com.  IN  CAA 0 iodef "mailto:security@example.com"
example.com.  IN  CAA 0 iodef "http://iodef.example.com/"

To use a future extension of the protocol, for example, one which defines a new future property, which needs to be understood by the certificate authority before they can safely proceed, one may set the issuer critical flag: 

example.com.  IN  CAA  0 issue "ca.example.net"
example.com.  IN  CAA  128 future "value"

Incidents[edit]

In 2017, Camerfirma was found to improperly validate CAA records. Camerfirma claimed to have misunderstood the CA/Browser Forum Baseline Requirements describing CAA validation.[20][4]

In early 2020, Let's Encrypt disclosed that their software improperly queried and validated CAA records potentially affecting over 3 million certificates.[21] Let's Encrypt worked with customers and site operators to replace over 1.7 million certificates, but decided not to revoke the rest to avoid client downtime and since the affected certificates would all expire in less than 90 days.[22]

See also[edit]

References[edit]

  1. ^ Ristić, Ivan. "SSL/TLS and PKI History". Feisty Duck. Retrieved June 8, 2018.
  2. ^ Bright, Peter (August 30, 2011). "Another fraudulent certificate raises the same old questions about certificate authorities". Ars Technica. Retrieved February 10, 2018.
  3. ^ Ruohonen, Jukka (2019). "An Empirical Survey on the Early Adoption of DNS Certification Authority Authorization". Journal of Cyber Security Technology. 3 (4): 205–218. arXiv:1804.07604. doi:10.1080/23742917.2019.1632249. S2CID 5027899.
  4. ^ a b c d e Scheitle, Quirin; Chung, Taejoong; et al. (April 2018). "A First Look at Certification Authority Authorization (CAA)" (PDF). ACM SIGCOMM Computer Communication Review. 48 (2): 10–23. doi:10.1145/3213232.3213235. ISSN 0146-4833. S2CID 13988123.
  5. ^ Hallam-Baker, Phillip; Stradling, Rob (October 18, 2010). DNS Certification Authority Authorization (CAA) Resource Record. IETF. I-D draft-hallambaker-donotissue-00.
  6. ^ Hallam-Baker, Phillip; Stradling, Rob; Ben, Laurie (June 2, 2011). DNS Certification Authority Authorization (CAA) Resource Record. IETF. I-D draft-ietf-pkix-caa-00.
  7. ^ Hallam-Baker, Phillip; Stradling, Rob (January 2013). DNS Certification Authority Authorization (CAA) Resource Record. IETF. doi:10.17487/RFC6844. ISSN 2070-1721. RFC 6844.
  8. ^ Hall, Kirk (March 8, 2017). "Results on Ballot 187 - Make CAA Checking Mandatory". CA/Browser Forum. Retrieved January 7, 2018.
  9. ^ a b Beattie, Doug (August 22, 2017). "What is CAA (Certificate Authority Authorization)?". GlobalSign. Retrieved February 2, 2018.
  10. ^ Cimpanu, Catalin (September 11, 2017). "Comodo Caught Breaking New CAA Standard One Day After It Went Into Effect". Bleeping Computer. Retrieved January 8, 2018.
  11. ^ a b c d e f DNS Certification Authority Authorization (CAA) Resource Record. IETF. November 2019. doi:10.17487/RFC8659. ISSN 2070-1721. RFC 8659.
  12. ^ "SSL Pulse". SSL Labs. Qualys. January 3, 2020. Retrieved January 31, 2020.
  13. ^ "Public Key Infrastructure using X.509 (PKIX) Parameters". www.iana.org. Retrieved August 22, 2020.
  14. ^ https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.3.pdf [bare URL PDF]
  15. ^ Beattie, Doug (January 7, 2019). "Ballot SC14: CAA Contact Property and Associated Phone Validation Methods". CA/Browser Forum (Mailing list). Retrieved October 19, 2020.
  16. ^ "What is Certificate Authority Authorization (CAA)?". Symantec. Archived from the original on January 8, 2018. Retrieved January 8, 2018.
  17. ^ Landau, Hugo (October 26, 2016). CAA Record Extensions for Account URI and ACME Method Binding. IETF. I-D draft-ietf-acme-caa-00.
  18. ^ Landau, Hugo (August 30, 2017). CAA Record Extensions for Account URI and ACME Method Binding. IETF. I-D draft-ietf-acme-caa-04.
  19. ^ Landau, Hugo (June 21, 2018). CAA Record Extensions for Account URI and ACME Method Binding. IETF. I-D draft-ietf-acme-caa-05.
  20. ^ "CA:Camerfirma Issues - MozillaWiki". wiki.mozilla.org. Retrieved April 27, 2021.
  21. ^ Claburn, Thomas (March 3, 2020). "Let's Encrypt? Let's revoke 3 million HTTPS certificates on Wednesday, more like: Check code loop blunder strikes". www.theregister.com. Archived from the original on May 31, 2020. Retrieved April 27, 2021.
  22. ^ Barrett, Brian (March 3, 2020). "The Internet Avoided a Minor Disaster Last Week". Wired. ISSN 1059-1028. Retrieved April 27, 2021.

External links[edit]

source: https://en.wikipedia.org/w/index.php?title=DNS_Certification_Authority_Authorization&diff=1230881915&oldid=792917389

Leave a Reply