DNS Record for Domain CA?

[Lester Waters]

As a further extension to the proposal, one could indicate the issuing Certificate Authority for their domain via DNS in a TXT record (akin to an SPF record). For example:

   TXT = "v=ct1 root={public-signing-key or thumbprint}"

One could go a step further and include a thumbprint of their certificate(s) for the domain:

   TXT = "v=ct1 root={public-signing-key or thumbprint}  c={certificate-thumbprint}"

This would be a simple and fast DNS check and could be much more expediant than checking the database.  If the CT1 TXT record is present, then it is observed. This raises the bar further as it potentially eliminates a window of time where a rogue certificate is used but before it is observed / witnessed as such.

[Eran Messeri]

How is that different from CAA records?

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.