@__agwa Congratulations on charging more™ for @SSLMate! I just used https://sslmate.com/caa and I'm so happy to pay you now! The CA metadata work is amazing, too!
-
Show this thread
-
BTW, "C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2" reports Sectigo as both brand and operator. Shouldn't the brand be Gandi?
2 replies 0 retweets 0 likesShow this thread -
Also, it would be nice to be able to authorize CAs per endpoint. I'm ok with Cloudflare certs for my Ghost blog, but I don't want them issuing for any other endpoint.
3 replies 0 retweets 1 likeShow this thread -
You can put a CAA record per subdomain AFAIR …
1 reply 0 retweets 0 likes -
Yeah you can with CAA, I meant as whitelisted CAs in CertSpotter.
1 reply 0 retweets 1 like -
They could simply allow import from matching DNS policy. Although there's probably not many users who have a very mixed setup.
1 reply 0 retweets 1 like -
Quite a few people have asked for CAA to be consulted. Have to be careful, because DNS is not transparent and (usually) not authenticated. Current plan is to make it an option, and send an email any time Cert Spotter relies on a CAA record for the first time.
1 reply 0 retweets 1 like -
At least for http://security.fail the records are DNSSEC signed … That should eliminate the auth issue. What do you mean for the transparency issue? Anycast-DNS?
1 reply 0 retweets 0 likes -
There's no CT-like system for DNS. Since Cert Spotter is a CT monitor, it shouldn't rely on a system that has weaker security guarantees than CT.
1 reply 0 retweets 0 likes -
And having it explicitly "Import CAA policy from DNS" with a second step for the user to confirm the read data? From the certs in Cert Spotter you should be able to know which DNS records to ask for.
1 reply 0 retweets 0 likes
It will be sort of like that, except the importing will be continuous (since CAA records can change over time) and the user will be informed over email when there's a change.
-
-
Sounds reasonable.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.