Warning: file_put_contents(/srv/users/serverpilot/apps/bitupdateus/public/wp-content/plugins/bulk-post-0.4-1/cache/sessions//hFtxgezGhUj3nx2B310WO4hORWPRWYdxIblJInT0): failed to open stream: No space left on device in /srv/users/serverpilot/apps/bitupdateus/public/wp-content/plugins/stupidpie-1.8.3-1/vendor/illuminate/filesystem/Filesystem.php on line 122
  TLS certificates: CAAs to put certification bodies on the leash | Bit Updates
Home » bitcoin updates » TLS certificates: CAAs to put certification bodies on the leash

TLS certificates: CAAs to put certification bodies on the leash

Friday, September 8th, 2017 | bitcoin updates

  TLS Certificates: CAAs should put certification bodies on a leash



          08.09.2017 06:00 UhrJürgen Schmidt

              Admins can use a Certification Authority Authorization to specify who can sign certificates for their domain. As of September 8, these specifications are binding for certification bodies.
Encryption on the Internet should become more secure. All certification bodies (CAs) are required to check whether a Certification Authority Authorization (CAA) is available before 8 September before issuing a certificate via DNS. So far, all CAs and their sub-CAs worldwide have been able to issue certificates for any domain, which has led to misuse.
Specifically, the hostmaster of the domain example.com can now create the following CAA entries in the zone file of his DNS server:
example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issuewild "comodoca.com" example.com. CAA 0 iodef "https://iodef.example.com/"
They state that Mozilla's Let's Encrypt Certificates may be issued on any hostnames of the domain, and Commodo is even authorized to certify wildcard certificates on * .example.com. If a non-listed CA determines that a domain application has been submitted to it, it must reject it and notify the domain owner of the iodef URL. A SSLmate web service even creates copy & paste templates for configuration entries of various DNS servers and services. You can retrieve CAA records via
host -t CAA google.com

            An SSLmate service provides matching CAA templates.

Unlike the DNS-based Authentication of Named Entities (DANE), the CAA concept also works without DNSSec using conventional DNS; however the use of DNSSec in the CAA-RFC 6844 is highly recommended.
Toothless tiger
Until now, such CAA records are largely toothless tigers: a certificate issued against the default is still accepted by the browser and all other applications that trust the certification authority. The only chance that an unfairly issued certificate will fly is currently offering Certificate Transparency (CT), which is driving Google massively.
According to CT, certification bodies must log their issued certificates in auditing-proof, public logs. This is already mandatory for extended validation certificates. Starting in April 2018, Chrome will not accept any newly issued certificates that have not been logged via CT. Anyone who regularly checks the certificates issued on his domain on Google may discover a CAA violation. Only when this adjustment is automated, there is a serious chance that a sloppy CA is noticeable.
The CA / Browser Forum adopted the "Ballot 187 – Make CAA Checking Mandatory" almost unanimously in March. The body is a voluntary association of all major browser manufacturers and certification bodies. Among other things, there are binding guidelines for the creation and administration of X.509 certificates.




Student employees: The HU

Which jobs may student assistants practice at the university? At the Humboldt University

A Village for Auction: Th

The tarp hangs on a wire mesh at the highway, green moss sticks

New Coins on the Block -

Read the article: Since 2015, the Agoras token exists and leads in terms

India: Probably more than

                         (Picture: Pexels)                                            India's huge bioscience project Aadhaar apparently