Certificate Authority Authorization Protects Domain Owners From Mis-Issuance.
Starting soon, new rules will make CAA checking mandatory.
Certificate Authority Authorization (CAA) is an optional security measure that website operators can use to protect their domain from mis-issuance. It allows domain owners to specify which Certificate Authorities (CAs) are allowed to issue certificates for their websites.
CAA is configured as a DNS record. Domain owners who want to use CAA create a record with a list of the CAs that may issue certificates for them.
When any CA receives a certificate request, they then check the domain’s CAA record to see if they are an approved issuer. They must refuse to issue the certificate if they are not a listed CA. If a domain does not have a CAA record, then any CA is free to issue a certificate.
Starting September 8th, all CAs will be required to check and obey a domain’s CAA records. The CAB Forum approved this measure last month.
Why Make CAA Checking Mandatory?
One of the criticisms of the CA system is that any single CA has the ability to impact the security of the entire internet. Browsers ship around 100 root certificates – including roots owned by governments and obscure regional CAs.
Any one of these CAs could issue a certificate for your domain, and historically, smaller and less well-known CAs have been targets for hackers, or guilty of issuing certificates without proper validation.
While other measures – like Certificate Transparency and Name Constraints – now exist to reign in the power of these roots, CAA provides another line of defense to domain owners.
Currently, there are only a few hundred websites in the whole world using CAA (SSL Pulse has started tracking CAA deployment and reports 250 sites are using it). Adoption has been slowed by two obstacles:
- Prior to this ballot, CAA checking was optional, and therefore, not a real security measure. Sort of like writing “please do not steal” on the side of your car.
- CAA uses its own type of DNS record, which requires the DNS provider to add support for it.
With CAA checking now mandatory, that first obstacle has been taken care of. This should create significantly more interest from users to deploy CAA, and more incentive for providers to support it.