2017.09.08 CAA Checking Algorithm Incident

On Friday September 8, 2017, at 10:04pm US Pacific time, Let’s Encrypt received a report pointing out a certificate that should not have been issued per CAA RFC 6844.

When CAA checking became mandatory on September 8, 2017, it only allowed the CAA checking algorithm specified in RFC 6844. Since our launch in late 2015, prior to any CAA checking requirements, Let’s Encrypt had implemented the CAA checking algorithm specified in erratum 5065. Let’s Encrypt did not move to the RFC 6844 algorithm on September 8, which meant we became non-compliant. It was possible to issue a certificate allowed under erratum 5065 and not allowed under RFC 6844.

We believe the algorithm specified in erratum 5065 is superior, and it’s what should have been specified in RFC 6844. There appears to be near-consensus on this in the Web PKI community (at least among those who have discussed the issue), including the CAA IETF working group. There have been many discussions on this topic in the CA community, and it seems very likely that a ballot will pass soon which makes the erratum 5065 algorithm compliant.

Based on PKI community discussions, it was our understanding that implementing the erratum 5065 algorithm would be allowed by root programs after the September 8, 2017 Baseline Requirements deadline for CAA came into effect. Our understanding was incorrect, and we should have sought explicit public dispensation for our divergence from the Baseline Requirements before the deadline. CAs should not assume that divergences from the Baseline Requirements are allowed without explicit public permission from root programs. Anything less would set a bad precedent and open the door to abuse.

A change to bring our CAA checking algorithm into compliance was deployed to production shortly before 17:30 UTC on September 14, 2017.

The certificate cited by the reporter was revoked within 24 hours of the report.

We have publicly asked the Mozilla and Google root programs for permission to deploy the erratum 5065 CAA checking algorithm immediately while we work on getting a ballot passed to change the CA/B Forum Baseline Requirements.