CAA mandated by CA/Browser Forum

On 8 March 2017, the CA/B Forum announced that the voting period is over for “Ballot 187 – Make CAA Checking Mandatory“, which means mandatory CAA checking will become part of their Baseline Requirements document.

But who is CA/B Forum, and what is the significance of this decision?

As per its bylaws, the Certification Authority Browser Forum (CA/B Forum) is a voluntary gathering of leading Certification Authorities (CAs) and vendors of Internet browsers. Members of the CA/B Forum work closely together to define guidelines and best practices as a way of improving security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

However, the bylaws clearly state the Forum has no corporate or association status, but is simply a group of CAs and browser vendors who communicate or meet from time-to-time to discuss matters of common interest relevant. The Forum has no regulatory or industry powers over its members or others.

The current members of the CA/B Forum consist of 52 Certification Authorities and 6 Internet Browser vendors including Apple, Google, Microsoft, Mozila, Opera and 360; so what is the significance of this decision?

Certification Authority Authorization (CAA) was specified in RFC 6844 in 2013, and CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames, using a new DNS Resource Record (RR) type called CAA (Type 257, IANA assigned RR Type).

Owners can restrict certificate issuance by specifying zero or more CAs, so if a CA is allowed to issue a certificate, their own hostname will be in the DNS record. Before issuing a certificate, CAs are expected to check the DNS record and refuse issuance unless they find themselves on the whitelist.

The current Baseline Requirements Certificate Policy of the CA/B Forum describes “an integrated set of technologies, protocols, identity‐proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly‐Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely‐available application software. The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying–party Application Software Suppliers.”

The fact that any CA can issue a certificate for any domain name is commonly cited as weakness of the system. But by adding mandatory CAA checks to the CA/B Forum Baseline Requirement which is also supported by all major browser vendors, it is highly likely that CAA adoption will rise significantly and reduce the risk of unintended certificate mis-issue.

If you’re looking for background information on how Public Key Infrastructures (PKIs) and Certificate Authorities (CA) support secure and private communication on the Internet, then Deploy360 has also published an overview of how these mechanisms work and how they are deployed.


Leave a Reply

Your email address will not be published. Required fields are marked *