[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Let's Encrypt issue starting March 4th

This appears to only be a problem if you publish a CAA record for the domain to which the cert applies.

I looked at CAA records when they first came out and determined they don't have much value as a security mechanism.   

Only the Certificate Authorities (DigiCert, Symantec, LetsEncrypt, etc...) check for CAA to determine if they're allowed to issue for a given domain.   Any CA that doesn't do validation of domain ownership also wouldn't bother to check for CAA.  I've read nothing suggesting anyone other than CAs else is comparing CAA to the actual certificate issuer as a check to verify web traffic is truly authorized.

-----Original Message-----
From: Ale <ale-bounces at ale.org> On Behalf Of DJ-Pfulio via Ale
Sent: Tuesday, March 03, 2020 6:48 PM
To: ale at ale.org
Subject: Re: [ale] Let's Encrypt issue starting March 4th

On 3/3/20 5:59 PM, Scott M. Jones via Ale wrote:
> Tomorrow, Let's Encrypt will be invalidating about 3 million out of 
> 113 million certs issued, due to CAA bug.
> https://www.cyberciti.biz/security/letsencrypt-is-revoking-certificate
> s-on-march-4/

Domains with a single cert are NOT impacted.

Someone created a site for people to check their LE certs:
Ale mailing list
Ale at ale.org