Connect with us

Hi, what are you looking for?


Network Security

Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

The issuance of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates is expected to become a more secure process this September, after the implementation of mandatory Certificate Authority Authorization (CAA) checks.

The issuance of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates is expected to become a more secure process this September, after the implementation of mandatory Certificate Authority Authorization (CAA) checks.

After Certificate Authorities (CAs) and browser makers voted last month to make CAA checking mandatory, the new standard will be implemented starting September 8, 2017, according to Ballot 187 on the CA/Browser Forum site. Starting then, all CAs will have to check CAA records at issuance time for all certificates, which should prevent them from issuing certificates if not permitted to.

CAA is a DNS Resource Record that “allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.”

Domain owners will be able to set an issuance policy that all publicly-trusted CAs should comply with, thus preventing CAs from wrongfully issuing HTTPS certificates. This new standard should also mitigate the issue that “the public CA trust system is only as strong as its weakest CA,” Ballot 187 also reveals.

CAs will have to check “for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued.” This standard, however, doesn’t prevent CAs to check CAA records at any other time.

Apparently, CAA checking isn’t required in specific scenarios, such as for “certificates for which a Certificate Transparency pre-certificate was created and logged in at least two public logs, and for which CAA was checked.”

If the CA or an Affiliate of the CA is the DNS Operator of the domain’s DNS, CAA checking becomes optional, the same as “for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in Baseline Requirements section 7.1.5, where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant.”

CAs are also required to document potential issuances that were prevented by the CAA, and should also send reports of the requests to the contact(s) stipulated in the CAA iodef record(s), if present.

Advertisement. Scroll to continue reading.

17 out of 19 voting CAs (94%) voted in favor of the new CAA standard. All three participating browser makers (Mozilla, Google, and Apple) voted in favor.

Related: Mozilla Wants 64 Bits of Entropy in Certificate Serial Numbers

Related: Symantec Revokes Wrongly Issued Certificates

Related: Google Adds Certificate Transparency Log for Untrusted CAs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...