info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Dashboard and Study on CAA Adoption
190 views
Skip to first unread message
Quirin Scheitle
Dec 15, 2017, 10:10:11 AM12/15/17
to sp...@ietf.org, mozilla-dev-s...@lists.mozilla.org
Dear all,
some colleagues and I want to share an academic study on CAA we have been working on in the past months.
We hope that our findings can provide quantitative data to assist further discussion, such as the “CAA-simplification” draft at IETF and work at the validation-wg at CABF.
We also give specific recommendations how *we think* that CAA can be improved.
The results, paper, and a dashboard tracking CAA adoption are available under
https://caastudy.github.io/
[Please note that the paper discusses facts as of Nov 30]
We will be happy to elaborate some aspects further, the paper does not discuss all the details.
We have discussed previous drafts with various individuals in this community and thank them for their inputs.
Kind regards
Quirin and team
some colleagues and I want to share an academic study on CAA we have been working on in the past months.
We hope that our findings can provide quantitative data to assist further discussion, such as the “CAA-simplification” draft at IETF and work at the validation-wg at CABF.
We also give specific recommendations how *we think* that CAA can be improved.
The results, paper, and a dashboard tracking CAA adoption are available under
https://caastudy.github.io/
[Please note that the paper discusses facts as of Nov 30]
We will be happy to elaborate some aspects further, the paper does not discuss all the details.
We have discussed previous drafts with various individuals in this community and thank them for their inputs.
Kind regards
Quirin and team
Ryan Hurst
Dec 15, 2017, 5:07:43 PM12/15/17
to mozilla-dev-s...@lists.mozilla.org
Gervase Markham
Jan 9, 2018, 12:11:40 PM1/9/18
to mozilla-dev-s...@lists.mozilla.org
Hi Quirin,
On 15/12/17 15:09, Quirin Scheitle wrote:
> The results, paper, and a dashboard tracking CAA adoption are available under
>
> https://caastudy.github.io/
Belatedly, thank you and your colleagues for doing this excellent work.
It is interesting that you have received no iodef messages at all. I can
imagine CAs deprioritizing that work in favour of getting their
implementations right. I can see a time, when CAA implementations have
settled down and are reliable, that we might look at mandatory reporting
of attempted misissuance.
CAs are already able to use CA-specific tags to restrict particular
validation methods and certificate types; this is something I think it's
reasonable to let the market provide if there is demand.
The DNS operator privilege is there because it doesn't make too much
sense for an organization to ask itself for permission to issue.
I would expect CAs to be storing the results of their CAA lookups in
their issuance logs, in sufficient detail for them to be checked later,
even if they are not published.
I share your hope that the deployment and use of CAA, and the accuracy
and consistency of checking, will improve in the days ahead. It will be
fascinating if you are able to repeat this research in six or twelve
months time.
One other quote:
"For 1 domain, our scans showed a CAA configuration that
consistently did not permit any CA to issue, yet a certificate
was issued during this time. Upon inquiry, the domain name
holder confirmed that they had fully automated their certifi-
cate issuance process, including automatic reconfiguration of
CAA records for a brief time period."
That's pretty awesome :-)
Gerv
On 15/12/17 15:09, Quirin Scheitle wrote:
> The results, paper, and a dashboard tracking CAA adoption are available under
>
> https://caastudy.github.io/
It is interesting that you have received no iodef messages at all. I can
imagine CAs deprioritizing that work in favour of getting their
implementations right. I can see a time, when CAA implementations have
settled down and are reliable, that we might look at mandatory reporting
of attempted misissuance.
CAs are already able to use CA-specific tags to restrict particular
validation methods and certificate types; this is something I think it's
reasonable to let the market provide if there is demand.
The DNS operator privilege is there because it doesn't make too much
sense for an organization to ask itself for permission to issue.
I would expect CAs to be storing the results of their CAA lookups in
their issuance logs, in sufficient detail for them to be checked later,
even if they are not published.
I share your hope that the deployment and use of CAA, and the accuracy
and consistency of checking, will improve in the days ahead. It will be
fascinating if you are able to repeat this research in six or twelve
months time.
One other quote:
"For 1 domain, our scans showed a CAA configuration that
consistently did not permit any CA to issue, yet a certificate
was issued during this time. Upon inquiry, the domain name
holder confirmed that they had fully automated their certifi-
cate issuance process, including automatic reconfiguration of
CAA records for a brief time period."
That's pretty awesome :-)
Gerv
0 new messages