On 26/09/2017 01:03, Andrew wrote:
> The BRs are indeed a bit ambiguous on this point, but my interpretation of this statement
>
>> CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CAB Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present
>
> is that the reports should only be sent in a situation where a certificate _would_ have been issued if not for the CAA records. In other words, all other security measures intended to prevent misissuance failed, and if not for the presence of the CAA record a valid certificate for your domain would have been issued to a potentially malicious actor. In that situation, you'd definitely want to be informed so you can investigate what allowed the attacker to get that far along in the process.
>
> That's my understanding anyway.
>
Alternatively, you might want to adjust your CAA record if that was
actually a legitimate request. This is especially handy if the CA only
communicates a generic "rejected" message to the applicant in your
organization (which might even be the person managing the CAA record and
receiving the report).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded