CAA records
Issue #692
resolved
5.2.1. Requirements for all endpoints
NOTE 1: Even if an endpoint uses only organization validated (OV) or extended validation (EV) TLS certificates, an attacker using rogue domain-validated certificates is able to impersonate the endpoint and conduct man-in-the-middle attacks. CAA records [RFC8659] help to mitigate this risk.
[Rifaat] The above statement is suggesting that implementation should consider implementing CAA records to avoid this attack. Why not explicitly call that out, instead of mentioning this in a note?
Comments (4)
-
reporter
-
Yes, it is hard to test, it might not be a perfect protection, and feels like overstepping into territory outside of FAPI’s scope.
-
From FAPI WG Meeting (2024-05-15)
- Provide hints to implementers to mitigate impersonated domain validated certificates
- It is hard to test and so we will not make it normaitve.
- Consensus to leave current text as-is recommending but not requiring CAA records, as requiring them would be outside the scope of FAPI
-
reporter
- changed status to resolved
As discussed in the last call we agreed to leave the text as is
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- FINAL
- Votes
- 0
- Watchers
- 1
we had a brief discussion, it probably is possible to test this so we could make it normative. @Daniel Fett what do you think?