One of the issues of having many public CAs is that any or all can issue SSL certificates for any domain. This would be upsetting to a subscriber that has reviewed the SSL industry and has chosen a CA that they can trust and work with. Another CA can issue a certificate for their domain at the same time.
This happens all the time, but in an honest way. When an enterprise user wants a certificate and doesn’t know that the company has already negotiated a pre-existing relationship with a CA, he just orders the certificate online from a CA of his choosing. Unfortunately, the certificate could be issued by the CA to an attacker. This is what happened last year at both Comodo and DigiNotar. In both cases, the attacker found a way to get a CA to issue certificates for domains even though the owners of the domains were not their customers.
The result is that many industry experts have been looking for ways to stop CAs from issuing certificates for a domain that the registrant did not authorize. CAA is a solution. The full name is Certification Authority Authorization (CAA), which is a DNS resource record that allows a DNS domain name holder to specify the Certification Authorities authorized to issue certificates for that domain. Publication of CAA resource records will allow public CAs to implement additional controls to reduce the risk of unintended certificate issuance.
It’s obvious why an SSL certificate subscriber would want this as it will help protect their domain, brand and security costs. Why would a CA use CAA?
- Increases the reliability of a validated domain name
- Implementation can be automatic and low maintenance
- Allows high-value targets to identify themselves, which will help with global verification of high-value domains
- Powerful defense against fraudulent issue attempts
- Also to consider is that if some CAs use CAA and others do not, then who will be the hacker’s target for fraudulent certificates?
The request for comment (RFC) for CAA is close to completion and should be available in August 2012. After publication, it will be provided to the CA/Browser Forum with the expectation that it will be referenced as a requirement from the Baseline Requirements.
Updated January 28, 2013: CAA has been released as RFC 6844.