In a few months, publicly trusted certificate authorities will have to start honoring a special Domain Name System (DNS) record that allows domain owners to specify who is allowed to issue SSL certificates for their domains.
The Certification Authority Authorization (CAA) DNS record became a standard in 2013 but didn’t have much of a real-world impact because certificate authorities (CAs) were under no obligation to conform to them.
The record allows a domain owner to list the CAs that are allowed to issue SSL/TLS certificates for that domain. The reason for this is to limit cases of unauthorized certificate issuance, which can be accidental or intentional, if a CA is compromised or has a rogue employee.
Leave a reply