Comments on: Certificate Transparency and unauthorized certificates https://blog.tinned-software.net/certificate-transparency-and-unauthorized-certificates/ Tinned-Software Blog Tue, 31 Aug 2021 16:19:45 +0000 hourly 1 https://wordpress.org/?v=6.5.4 By: Gerhard https://blog.tinned-software.net/certificate-transparency-and-unauthorized-certificates/#comment-30 Fri, 07 Jul 2017 12:34:44 +0000 https://blog.tinned-software.net/?p=2379#comment-30 Thanks Spencer for contacting me with some very interesting details about the CAA records mentioned in the Article. Below are the details and some thoughts about the CAA records.

Be aware that there are two authors listed in RFC 6844 which is the rfc for CAA. Both are Comodo employees. There are no other authors listed.

Therefore, Comodo has a more than casual interest, and less than impartial viewpoint when answering questions from you about CAA.
– [Spenser]

I checked the RFC and indeed, both listed authors seem to be from Comodo at the time of writing the RFC.

Internet Engineering Task Force (IETF)           P. Hallam-Baker
Request for Comments: 6844                    Comodo Group, Inc.
Category: Standards Track                           R. Stradling
ISSN: 2070-1721                                  Comodo CA, Ltd.
                                                    January 2013

You might also look at the history of the voting to impose the September deadline. The voters were members of some committee of browser and certificate vendors. There was seemingly no input from people involved in DNS. Since CAA is a DNS record, that is somewhat odd. Create a dependency on something where the provider of that thing has not been consulted, and where the provider of that thing has to write new code in order for the new thing to actually exist.

If you look at the scheme carefully, it offers nothing more than operational convenience for the issuer.

First, a CAA record need not exist. The issuer must query for the record, but it need not exist. This is often glossed over and has caused much consternation when it is presented as a requirement. The only requirement is that the issuer query for the record, and comply with the content of the record, if it exists.

Second, it offers no real protection against improperly issuing a certificate to a non-authorized person in its normal usage. If a CAA record is published that specifies xxx.com as the only authorized issuer, then a non-authorized person only needs to be sure to buy their certificate from xxx.com instead of any other certificate issuer. There is a provision for setting the contact name and notifications, but this will be unlikely to be widely used or understood.
– [Spenser]

I found an description of the DNS Certification Authority Authorization and its current state. The so called “CA/Browser Forum”, where Comodo is a member, voted for the CAA in Ballot 125 from 2014-10-14. In this vote, the decision for the CAA resource record was made.

In March 2017 the CA/Browser Forum voted (Ballot 187 from 2017-05-08) to make CAA mandatory. As of this, beginning with September 2017 (six months after the vote), all CAs should honor the CAA records.

Interestingly, in the list of exceptions is the following point:

CAA checking is optional if the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain’s DNS.
– [Ballot 187 – Make CAA Checking Mandatory]

So, if the CA is also in charge of the domain’s DNS, or one of their affiliates, they can skip the check of CAA records set by the domain owner. So if Cloudflare would allow CAA records and Comodo would have a contractual partnership (an affiliation), they are allowed to ignore the CAA records. Personally, I think these exceptions make the whole concept of CAA records not completely useless, but at least not trustworthy, as you never know if the CAA records will be checked or not.

Additionally, as Spencer mentioned, the CAA records as such do not avoid unauthorized creation of certificates at all. They might make it a bit harder to achieve it as they have to be from the same CA, but as I understood the CAA specification, anyone who is able to successfully validate a domain with a CA could simply request the certificate from the CA listed in the CAA record.

Again, a big thank you to Spencer for the detailed insight which pointed me in this direction.

]]>