A Call to Reconsider Certification Authority Authorization (CAA)

Pouyan Fotouhi Tehrani; Raphael Hiesgen; Thomas C. Schmidt; Matthias W\"ahlisch

arXiv:2411.07702·cs.CR·February 6, 2026

A Call to Reconsider Certification Authority Authorization (CAA)

Pouyan Fotouhi Tehrani, Raphael Hiesgen, Thomas C. Schmidt, Matthias W\"ahlisch

PDF

Open Access

TL;DR

This paper critically examines the limitations of Certification Authority Authorization (CAA) in preventing certificate misissuance, highlighting operational pitfalls and proposing best practices for secure DNS-based protocols.

Contribution

It identifies fundamental shortcomings in CAA concepts and operational practices, offering insights to improve security protocols relying on DNS.

Findings

01

CAA shortcomings weaken certificate issuance safeguards

02

Operational pitfalls compromise CAA effectiveness

03

Best practices can enhance DNS-based security protocols

Abstract

Certification Authority Authentication (CAA) is a safeguard against illegitimate certificate issuance. We show how shortcomings in CAA concepts and operational aspects undermine its effectiveness in preventing certificate misissuance. Our discussion reveals pitfalls and highlights best practices when designing security protocols based on DNS.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsLibrary Science and Information Systems