Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
A first look at Certification Authority Authorization (CAA)
Scheitle Q., Chung T., Hiller J., Gasser O., Naab J., van Rijswijk-Deij R., Hohlfeld O., Holz R., Choffnes D., Mislove A., Carle G. ACM SIGCOMM Computer Communication Review48 (2):10-23,2018.Type:Article
Date Reviewed: Nov 21 2019

The cornerstone of information and communications technology (ICT), security provides and maintains robustness, sustainability, and reliability. Using web services by referring to different web pages is interwoven in daily life; different policies have evolved to provide security. With regards to certificate-based security techniques, domain name system (DNS) Certificate Authority Authorization (CAA) is one well-known method. In light of some malfunctions and misissued certificates, this paper surveys audited CAA anomalies and proposes corrections.

The introduction covers the main stack holders in the CAA platform, that is, certificate authorities, domain name holders, DNS operators, third-party auditors, and standard bodies, along with an approach for ethical considerations. The literature review features a history of CAA’s evolution and different security technologies. Avoidance, detection, and protection against misissuance are counted as salient mechanism for improving CAA security. The authors explore CAA’s security contributions and its robustness against attacks, as well as some of its weaknesses, for instance, “little protection against man-in-the-middle attacks.”

To evaluate the operation of certificate authorities (CAs), some categorized tests are carried out that definitely reflect malfunctions at issuance. The paper emphasizes the role of domain name holders in the success of CAA and examines deployment patterns, name server consistency, Domain Name System Security Extensions (DNSSEC), and “DNS operator support for CAA.”

Next, the role of a third-party auditor (RFC 6844) is investigated. Issuance anomalies, problematic CAA configurations, and exemplary CAA configurations are discussed, including several misissuances, pending renewal problems, and false positives. The paper’s end result is important recommendations, including “requiring valid signatures for DNSSEC-enabled domains,” “define strategy on name server inconsistency,” “removal of DNS operator privilege,” and “require DNS lookup security controls.”

The paper discusses a hierarchical structure of web security mechanisms based on CAA. In a well-written and structured manner, it also presents a good dissection of the CAA architecture. The provided proposals, both concise and comprehensive, reveal a tangible effort to improve security. In summary, the paper takes a significant look at CAA anomalies.

Reviewer:  Mohammad Sadegh Kayhani Pirdehi Review #: CR146791 (2004-0076)
Bookmark and Share
  Featured Reviewer  
 
Security and Protection (C.2.0 ... )
 
 
Network Protocols (C.2.2 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
Introduction to data security and controls (2nd ed.)
Edward R. I., QED Information Sciences, Inc., Wellesley, MA, 1991. Type: Book (9780894353864)
Aug 1 1992
Security for computer networks: an introduction to data security in teleprocessing and electronic funds transfer
Davies D., Price W., John Wiley & Sons, Inc., New York, NY, 1984. Type: Book (9780471900634)
Oct 1 1985
The development and proof of a formal specification for a multilevel secure system
Glasgow J., Macewen G. ACM Transactions on Computer Systems 5(2): 151-184, 1987. Type: Article
Oct 1 1987
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy