Improving revocation: new DNS CAA flag "muststaple"?


If someone draft a RFC about a new flag for the DNS CAA: “muststaple”:

  • Will let’s encrypt be interested to implement it?
  • Will some let’s encrypt uses be interested to use it?

That flag will require that the certificate have the must-staple attribute.!topic/


I didn’t read the group thread (a liiiiitle bit TL;DR if you ask me!), but I myself are missing the usefulness of such a flag.

AFAIK the CAA system is there to ‘protect’ your domain from “accidental” or malicious issuing of certificates which aren’t under your control and could be used for MitM attacks by limiting the number of CA’s which are allowed to issue certificates for your domain.

The key here is: accidental or malicious issuing of certificates. Not legitimate certificates requested by yourself!

You yourself are in control of the CAA record. You yourself are in control of the issuing of a (must staple) certificate.

I do not see the additional value of such a flag, because when you request the issuing of such a certificate, you can ask for must staple then. Why would you put it in a CAA flag?

Read it anyway: TL;DR-version of the Google Groups thread: if someone is tricked into issuing a certificate for the domain (phising, or something else), the problem is that revocation is quite broken at the moment and OSCP stapling with must staple is sort of an answer to this, therefore requiring must staple through CAA improves security when someone is tricked in validating the domain for a malicious person and a certificate is generated by someone not allowed to.

Well, this implies CAA records are followed by every CA. There are a lot of CA’s not implementing CAA records. Therefore, the malicious user who is phising employees can just choose one of those CA’s. Or the Baseline Requirements should enforce the use of CAA records. In thát case, and only in that case, such a must staple flag in a CAA record could be usefull :slight_smile:


@Osiris Thank you for the feedback.

Actual CAA records protect only against accidental or malicious issuing of certificates from CA that conform with the CAA RFC.

The muststaple CAA flag I propose stay in that area: It prevent the issuance, accidental or malicious, of certificate without the must-staple flag from a CA that conform with the CAA RFC.

So that flag is useful against all CA that respect CAA: if marked critical, CA that understand CAA but not the flag muststaple should refused to issue a certificate (Right?).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.