+1-888-690-2424

New Mandatory CAA Checking on the Horizon

Bruce Morton

Certification Authority Authorization (CAA) allows a domain owner to specify in their DNS or DNSSec which Certification Authority (CA) is authorized to issue certificates to their domain. The new CAA policy has now been defined by the CA/Browser forum and is scheduled to take effect September 8, 2017. CAA technical requirements are covered by standard RFC 6844.

There are about 140 different government and global root CA certificates that are distributed with Windows. The roots may have thousands of intermediate CAs, many of which can issue SSL/TLS certificates. CAA tightens security for domain owners by enabling them to limit certificate issuance to only those CAs they have granted permission to – this can be either one or many specific CAs.

CAA supports the following properties:

  • Issue: Permits a CA to issue certificates.
  • Issuewild: Permits a CA to issue a wildcard certificate, but not non-wildcard certificates.
  • Iodef: Provides an email address or website where the CA can report requests which violate the CAA record policy.

Here is an example of a CAA record for domain example.com:

$ORIGIN example.com

∙  CAA 0 issue “ca.issuer-one.com”

∙  CAA 0 issuewild “ca.issuer-two.com”

∙  CAA 0 iodef “mailto:security@example.com”

Each CA must define their issuer domain name in their certification practice statement (CPS). Domain owners who want to use CAA to permit only specific CA(s) to issue certificates must create a CAA record with the issuer domain name and add it to their DNS or DNSSec.

Here is a CAA record that would allow Entrust Datacard to issue certificates to their domain:

CAA 0 issue “entrust.net”

Each CA must check the CAA records for all domain names requested at the time of certificate issuance and must act as follows:

  • If there is no CAA record, then the CA can issue.
  • If a CAA record uses the issuer domain name from the CA’s CPS, then the CA can issue.
  • If there is a CAA issue record, but there is no issuer domain name from the CA’s CPS, then the CA cannot issue.

Many enterprises use more than one CA. This may be due to departments sourcing their certificates differently or perhaps there is no policy in effect limiting certificate purchases to a specific CA(s). As such, if a domain owner is planning to use CAA, they should ensure they permit all of the trusted CAs. A simple CT search check will help to reveal most of the trusted CAs who have issued certificates to their domain.

CAA may be the best way to protect domain owners from having fraudulent certificates issued in their domain name. This has become increasingly important with the proliferation of unauthorized DV certificates.

Update March 23, 2017: CA/Browser Forum Ballot 187 – Make CAA Checking Mandatory

 

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

3 Comments

  1. Andrew White May 24, 2017 Reply

    Are there any specifics about what warnings or change to user experience will occur in a browser starting 2017-9-8 in Chrome/Firefox/Safari?

    • Bruce Morton Author
      Bruce Morton May 29, 2017 Reply

      There will be no impact to browser users.

      There may be an impact to the certificate requester. When a certificate request is performed, there will be a check of the CAA records. If there is no CAA record, then no issue. If there is a CAA record, then the record must authorize the CA to issue the certificate. If the CA is not authorized, then the certificate issuance request will be denied. The fix will be to either update the CAA record or request the certificate from the CA which is already authorized.

Add to the Conversation