Certificate authorities (CAs) and web browsers voted overwhelmingly in favor of a ballot to make certificate authority authorization (CAA) checking valid, an adopted motion which is set to take effect in September 2017.
In March 2017, CAs, web browsers, and other organizations involved with the CA/Browser Forum voted on Ballot 187. This motion received full support from Mozilla, Google, and Apple. Additionally, it gained 94 percent of participating CAs' votes. (Sertifitseerimiskeskus opposed the measure, whereas Actalis abstained.)
The now-passed Ballot 187 will make CAA checking mandatory beginning on 8 September 2017. Certification Authority Authorization allows domain owners to specify in their Domain Name Servers (DNS) which CAs are authorized to issue certificates for that domain. They can do this by creating a CAA record with an issuer domain name, an identifier which every CA includes in its certification practice statement (CPS) of how it issues and manages public key certificates. Domain owners can then add those records to their DNS or DNS Security (DNSSec).
Domain owners can use CAA records to protect themselves against bad actors. Bruce Morton, director of certificate technology and standards at Entrust, elaborates on this point:
"CAA may be the best way to protect domain owners from having fraudulent certificates issued in their domain name. This has become increasingly important with the proliferation of unauthorized DV certificates."
Short for "domain validated" digital files, DV certificates are the most common type of SSL certificate that require verification using only their domain name. Domain owners can complete this validation process by confirming the email listed in the domain's WHOIS record or by placing a verification file on the website. Attackers can easily pass this verification process by hacking a site administrator's email account, for example, or stealing the login credentials for a domain. To protect against such nefarious activity and establish a deeper level of trust with web users, some domain owners opt for additional verification by achieving an organization validated (OV) or extended validation (EV) certificate.
CAA augments security for domain owners with its support of three properties: "issue," which permits a CA to issue certificates; "issuewild," which allows a CA to issue only a wildcard certificate; and "iodef," which establishes a means by which a CA can report requests that violate a CAA record policy. These rules stipulate that CAs can't issue a new certificate unless the certificate request matches exactly with an existing CAA record or if a limited type of CPS exception applies. As such, domain owners can use CAA records and their three properties to protect their entire domain or specific hostnames. They can also use them to control single-name certificates, wildcard certificates, or both.
In preparation for Ballot 187's implementation in September 2017, domain owners should protect themselves with CAA records by referring to RFC 6844. For added security, they should invest in a solution that continuously monitors their encryption environment's keys and certificates. Such a tool should, among other things, automatically generate notifications if and when it discovers a rogue certificate.