<b>What stops any public CA from issuing a valid certificate for your domain right now?</b>
A uncomfortable property of the WebPKI is that any of the ~100 publicly-trusted CAs can, by default, issue a certificate for any domain — your browser trusts them all equally. Domain validation proves control to one CA, but nothing stops a different CA from being tricked or compromised into issuing for the same name. The mechanism that constrains this is CAA (Certification Authority Authorization, RFC 8659).
A CAA record is a DNS entry naming which CAs are permitted to issue for your domain. Publish CAA 0 issue "letsencrypt.org" and a compliant CA other than Let's Encrypt is obligated to refuse issuance — it must check CAA at validation time and abort if it is not listed. The CA/Browser Forum Baseline Requirements made CAA checking mandatory for all public CAs in 2017, which is what gives the record teeth: it is enforced by audited policy, not by the protocol.
The nuance often missed: CAA is checked by the issuing CA, not by the client. A browser never reads CAA and a present-but-violated CAA record does not make an already-issued certificate invalid to clients. CAA is a preventive control at issuance time, defending against a misbehaving-or-tricked CA, not a runtime check. The iodef property additionally lets you receive an email report when a CA encounters a violating request — a free mis-issuance tripwire.
Evidence vs. speculation: mandatory CAA checking is documented in CA/B Forum Baseline Requirements §3.2.2.8; its limitation to issuance-time is inherent to the design, not a gap to be fixed client-side.
<b>Further reading:</b> RFC 8659 (CAA); RFC 8657 (CAA for ACME); CA/B Forum Baseline Requirements §3.2.2.8.
<b>Bottom line:</b> By default every public CA can issue for your domain — a CAA record is the only standardized way to restrict that, enforced by CAs at issuance under audited policy; add iodef to turn it into a mis-issuance alarm, but remember it gates issuance, not the client.
Handshake Papers
@HandshakePapers
<b>What stops any public CA from issuing a valid certificate for your domain right now?</b>
Этот пост опубликован в Telegram-канале Handshake Papers. Подписаться можно по ссылке: @HandshakePapers.