If a CA send mail to CAA iodef, when it should?

In CA/B BR only time it a report was sent is when a issuance request was blocked by CAA, but I think domain holder will more care about a successful issuance for their domain. I personally think we wouldn't want send email when any auth was created, I think that'd become a spam fast

CAs MUST document potential issuances that were prevented by a CAA record in
sufficient detail to provide feedback to the CAB Forum on the circumstances, and
SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the
CAA iodef record(s), if present. CAs are not expected to support URL schemes in the
iodef record other than mailto: or https:.

2 Likes

Well, at least as of last April, nobody here seemed to know of a CA that actually used iodef at all.

I noticed that in the dev-security-policy discussion of adding a root to Mozilla's trust store for iTrusChina, they mentioned that in their CSP they would add "When the certificate requests or issuances violate the security policy of the Issuer or the FQDN holder,if the tag "iodef" exists in CAA records, iTrusChina will dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s)." So maybe CAs are starting to use it.

I don't know if the mechanism should be through CAA, but I think I've mentioned here somewhere that I wish one could configure Let's Encrypt to send out email alerts for more things. In particular, being able to change the contact email and/or account key without any emails or other notifications being sent strikes me as problematic. Also, if a certificate is revoked via certificate key, probably the associated account contact should get notified somehow.

But in the case you mention here, if one wants to be notified of any successful issuance for their domain from any public CA, I think the current solution (rather than using CAA) would be to monitor the Certificate Transparency logs. There are several services out there that can help one check and set up alerting of some sort whenever a domain gets a new certificate.

6 Likes