A First Look at Certification Authority Authorization (CAA)

Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland Martijn van Rijswijk - Deij, Oliver Hohlfeld, Ralph Holz, David Choffnes, Alan Mislove, Georg Carle

Research output: Contribution to journalArticleAcademicpeer-review

10 Citations (Scopus)

Abstract

Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017.
The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable cus- tomers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates.
We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.
Original languageEnglish
JournalComputer communication review
Volume48
Issue number2
DOIs
Publication statusPublished - 1 Apr 2018

Fingerprint

Hinges
Experiments

Keywords

  • CAA
  • Web PKI
  • HTTPS Security

Cite this

Scheitle, Quirin ; Chung, Taejoong ; Hiller, Jens ; Gasser, Oliver ; Naab, Johannes ; van Rijswijk - Deij, Roland Martijn ; Hohlfeld, Oliver ; Holz, Ralph ; Choffnes, David ; Mislove, Alan ; Carle, Georg. / A First Look at Certification Authority Authorization (CAA). In: Computer communication review. 2018 ; Vol. 48, No. 2.
@article{67e22cf64c794f65ab02d7a782599773,
title = "A First Look at Certification Authority Authorization (CAA)",
abstract = "Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017.The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable cus- tomers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates.We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.",
keywords = "CAA, Web PKI, HTTPS Security",
author = "Quirin Scheitle and Taejoong Chung and Jens Hiller and Oliver Gasser and Johannes Naab and {van Rijswijk - Deij}, {Roland Martijn} and Oliver Hohlfeld and Ralph Holz and David Choffnes and Alan Mislove and Georg Carle",
year = "2018",
month = "4",
day = "1",
doi = "10.1145/3213232.3213235",
language = "English",
volume = "48",
journal = "Computer communication review",
issn = "0146-4833",
publisher = "Association for Computing Machinery (ACM)",
number = "2",

}

Scheitle, Q, Chung, T, Hiller, J, Gasser, O, Naab, J, van Rijswijk - Deij, RM, Hohlfeld, O, Holz, R, Choffnes, D, Mislove, A & Carle, G 2018, 'A First Look at Certification Authority Authorization (CAA)' Computer communication review, vol. 48, no. 2. https://doi.org/10.1145/3213232.3213235

A First Look at Certification Authority Authorization (CAA). / Scheitle, Quirin; Chung, Taejoong; Hiller, Jens; Gasser, Oliver; Naab, Johannes; van Rijswijk - Deij, Roland Martijn; Hohlfeld, Oliver; Holz, Ralph; Choffnes, David; Mislove, Alan; Carle, Georg.

In: Computer communication review, Vol. 48, No. 2, 01.04.2018.

Research output: Contribution to journalArticleAcademicpeer-review

TY - JOUR

T1 - A First Look at Certification Authority Authorization (CAA)

AU - Scheitle, Quirin

AU - Chung, Taejoong

AU - Hiller, Jens

AU - Gasser, Oliver

AU - Naab, Johannes

AU - van Rijswijk - Deij, Roland Martijn

AU - Hohlfeld, Oliver

AU - Holz, Ralph

AU - Choffnes, David

AU - Mislove, Alan

AU - Carle, Georg

PY - 2018/4/1

Y1 - 2018/4/1

N2 - Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017.The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable cus- tomers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates.We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.

AB - Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017.The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable cus- tomers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates.We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.

KW - CAA

KW - Web PKI

KW - HTTPS Security

U2 - 10.1145/3213232.3213235

DO - 10.1145/3213232.3213235

M3 - Article

VL - 48

JO - Computer communication review

JF - Computer communication review

SN - 0146-4833

IS - 2

ER -