Donate
‹ Back
Deploy360 19 June 2017

CAA mandated by CA/Browser Forum

By Aftab Siddiqui Technical Engagement Manager for Asia-Pacific

On 8 March 2017, the CA/B Forum announced that the voting period is over for “Ballot 187 – Make CAA Checking Mandatory“, which means mandatory CAA checking will become part of their Baseline Requirements document.

But who is CA/B Forum, and what is the significance of this decision?

As per its bylaws, the Certification Authority Browser Forum (CA/B Forum) is a voluntary gathering of leading Certification Authorities (CAs) and vendors of Internet browsers. Members of the CA/B Forum work closely together to define guidelines and best practices as a way of improving security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

However, the bylaws clearly state the Forum has no corporate or association status, but is simply a group of CAs and browser vendors who communicate or meet from time-to-time to discuss matters of common interest relevant. The Forum has no regulatory or industry powers over its members or others.

The current members of the CA/B Forum consist of 52 Certification Authorities and 6 Internet Browser vendors including Apple, Google, Microsoft, Mozila, Opera and 360; so what is the significance of this decision?

Certification Authority Authorization (CAA) was specified in RFC 6844 in 2013, and CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames, using a new DNS Resource Record (RR) type called CAA (Type 257, IANA assigned RR Type).

Owners can restrict certificate issuance by specifying zero or more CAs, so if a CA is allowed to issue a certificate, their own hostname will be in the DNS record. Before issuing a certificate, CAs are expected to check the DNS record and refuse issuance unless they find themselves on the whitelist.

The current Baseline Requirements Certificate Policy of the CA/B Forum describes “an integrated set of technologies, protocols, identity‐proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly‐Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely‐available application software. The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying–party Application Software Suppliers.”

The fact that any CA can issue a certificate for any domain name is commonly cited as weakness of the system. But by adding mandatory CAA checks to the CA/B Forum Baseline Requirement which is also supported by all major browser vendors, it is highly likely that CAA adoption will rise significantly and reduce the risk of unintended certificate mis-issue.

If you’re looking for background information on how Public Key Infrastructures (PKIs) and Certificate Authorities (CA) support secure and private communication on the Internet, then Deploy360 has also published an overview of how these mechanisms work and how they are deployed.

‹ Back

Related articles

Deploy360@IETF99, Day 5: Kdo se moc ptá, moc se dozví
Deploy36021 July 2017

Deploy360@IETF99, Day 5: Kdo se moc ptá, moc se dozví

There's a couple of sessions of interest on the last day of IETF 99 before we say na shledanou to...

The Internet Society shows commitment to Africa tech
The Internet Society shows commitment to Africa tech
Development19 August 2016

The Internet Society shows commitment to Africa tech

The Internet Society has strengthened its commitment to Africa’s technology development by selecting 23 fellows from 20 countries to participate...

New RFC 7469 on Certificate Pinning - HTTP Public Key Pinning (HPKP)
Deploy3601 May 2015

New RFC 7469 on Certificate Pinning – HTTP Public Key Pinning (HPKP)

A couple of weeks ago those of us interested in Internet security formally received a new tool in our toolbox...

Join the conversation with Internet Society members around the world