Root Causes 63: What Is CAA?
CAA, which stands for CA Authentication, is the capability for the domain name owner to specify in DNS which CAs are allowed to issue SSL certificates for a specific domain. Join us to learn more about CAA, including how it works and its potential benefits to businesses.
- Original Broadcast Date: January 29, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
So, what we're going to talk about today? This is one of our explainer podcasts where we're gonna define and explain a term and the term today, it's very specific to the TLS world. The SSL world. Is CAA.
-
Jason Soroko
CAA. Yes. Um, that's the public trust realm, Tim. I guess that's your world that uh - -
-
Tim Callan
It’s very much so. So, CAA stands for CA authorization, which in a way is kind of a funny word because CA of course stands for Certificate Authority. So that's like saying Certificate Authority Authorization but what it is, is it's authorization of a Certificate Authority to issue public certificates against a domain name that you control.
-
Jason Soroko
Right. So, I would imagine if I owned, you know, jason.com, you know, I actually happen to own soroko.com.
-
Tim Callan
Sure. Doesn’t surprise me.
-
Jason Soroko
Little known factoid, I ordered that domain name back when it used to be done with a letter that you had to put in an envelope and lick a stamp. That's how how far back that goes. So, owning that domain, I would be able to essentially whitelist, a Certificate Authority who I would allow certificates to generate certificates against that domain. Is that right?
-
Tim Callan
Right. So, how it works is - - so, it's done through DNS, right? There's a certain syntax that you put into the DNS record because that's how these things tend to be done. And, if there's no record present, then all CAs may issue against that because, of course, that's the most common scenario. But if you choose to use CAA, then that's exactly what you're doing. You are whitelisting a set of CAs that are able to issue against this domain and you follow a specific syntax and then the CAs by CA Browser Forum rules, by the baseline requirements, must check against CAA before issuing that cert and in the event that they issue a cert where against a domain where a record is present and they are not whitelisted, then that is considered to be a BR violation.
-
Jason Soroko
So, Tim, would you consider this another layer of double-check security on top of say something like the CT logs?
-
Tim Callan
Yeah. I think primarily it's a command-and-control thing. So, if I have a large company and I have a lot of employees that are out there doing who knows what, it is possible that I have employees who are issuing certs that I'd rather they weren't issuing or who are issuing certs but aren't using my right platform. So, if I go to a major CA and I have a cert management platform, and I own everything in the cert management platform, and I got dudes going to the website and putting in their credit card, then those certs aren't in my platform. Or, if I have people who are, you know, potentially standing up services with certs and I'm going to find out the hard way when those certificates expire because nobody has bothered to maintain them and suddenly something I care about stops working, all of those scenarios are mitigated; are made less likely by putting more control over how certs are issued and this is something that does that.
-
Jason Soroko
If I'm a small business owner, for example, and I don't have a team of people checking CT logs, it's just another layer of checking, but as you say, there's other reasons for it, depending on what your needs are.
-
Tim Callan
Yeah. And I think the real - - the most beneficial scenario is exactly that one. The large company, where there are a lot of people who might have both the authority and the acumen to get certificates, but then they may lose interest, get transferred, get a new job, leave the company and suddenly those things don't get managed, and we find out the hard way when our website doesn't work. Right? And this, you know, history is just riddled with examples of this exact scenario and so the various aspects that people can put in place to prevent that wind up being healthy for subscribers, for the companies that are running these online services. And, you know, it's not all that different in that regard from certificate discovery, which we've talked about in the past, which is where you go out and you crawl, and you find certificates that are part of your network or your infrastructure or your services that you didn't know about and that's really to accomplish the same sort of thing.
-
Jason Soroko
So, how do I go about making this whitelist, Tim?
-
Tim Callan
So, you go in and there's a certain specific syntax that you need to follow and you go and you establish a DNS record and you put it correctly and then literally what you're doing is you're listing - - actually, the way it's structured is you wind up listing the domain names of those issuing CAs and that's important because that means that a certificate from Sectigo.com and a certificate from Positivessl.com are not the same. Right? So, it winds up being kind of on a brand-by-brand basis. You have to go ahead, and you put those in, and then once those are in, those are allowed if you're doing a CAA check, which of course, if you're not doing a CAA check, then you have other problems if you're a public CA. And then there's more nomenclature than just that. So, in addition to the certificates, you can also establish whether wildcards are allowed. Or it’s odd. It's the opposite of that. You can establish whether only wildcards are allowed. So, there's something in the nomenclature where you could say for this domain, I only want to use wildcards. And, um, then it will basically, you can't issue a non-wildcard against it and that's also built into the spec, which I really don't think is used very much.
-
Jason Soroko
Well, that's cool, Tim.
-
Tim Callan
Yeah.
-
Jason Soroko
You know, uh, good to know. I think it's important to be on this podcast so that, you know, anybody who is interested in that can go out and seek out how to do it. I think all security layers are good. What else should I know about it?
-
Tim Callan
Well, I think it's just kind of, if we take it up one level of abstraction, you know, you have spoken in the past, Jason, and I know you feel, and I do, too, that it's all just about an ecosystem. So, you know, this is one small thing, right? Which is I put a DNS record and people can come and they can look at the DNS record and in and of itself, it's not a big deal, but what you're doing in the world of public CAs is we build this pretty complicated ecosystem of systems and checks and rules and all of them together as a picket fence, create the secure, trusted world that we come to expect. So, it's something like CAA. It's something like a very specific section of the CA Browser Forum authentication rules. It's something like, you know, having certain expiration dates and requirements and when you put all of these things together, you wind up with the trusted ecosystem that we depend on to keep these things running. And, you know, this is a great example of that. In and of itself, CAA is not really that big a deal, but it's part, it's one of the pieces that come together to make the big, giant puzzle that is a functioning, global, consistent, ubiquitous public CA or public PKI platform that runs across, for all intents and purposes, all hardware, software, and services. And, you know, that's how you do it. You focus on these very specific areas and you get those specific areas right and this is one specific precise example of that.
-
Jason Soroko
That's perfectly said, Tim, and, you know, in the realm of security, anytime I see a whitelist example of a layer of security within an ecosystem I like it because it tends to be simple, it tends to be very blunt, and we need more of that in security. So, you know, whitelists are great, and this just is another good example of that.
-
Tim Callan
Yeah, and there's examples where they work and where they don’t, but this is an example where they actually work quite well and you can control, right? Again, so much of it is about command and control. I want to know this is the set of CAs that I feel good about, I vetted them, or, like I said, I have a management platform, or I've negotiated pricing, right? Or whatever reasons I want to focus on these and I just want to restrict it to that, and this is a way that I can do that.
-
Jason Soroko
Well, thank you, Tim. I think, you know, for those of us who are curious about, especially in the public trust realm, it's an important topic to know about and maybe something you might want to look at.
-
Tim Callan
Cool. All right. So, thank you, Jay. I always enjoy our talks. Thank you everybody.
-
Jason Soroko
You, too.
-
Tim Callan
This has been Root Causes.