ComputingReviews.com

A first look at Certification Authority Authorization (CAA)
Scheitle Q., Chung T., Hiller J., Gasser O., Naab J., van Rijswijk-Deij R., Hohlfeld O., Holz R., Choffnes D., Mislove A., Carle G. ACM SIGCOMM Computer Communication Review48(2):10-23,2018.Type:Article

Date Reviewed: 11/21/19

The cornerstone of information and communications technology (ICT), security provides and maintains robustness, sustainability, and reliability. Using web services by referring to different web pages is interwoven in daily life; different policies have evolved to provide security. With regards to certificate-based security techniques, domain name system (DNS) Certificate Authority Authorization (CAA) is one well-known method. In light of some malfunctions and misissued certificates, this paper surveys audited CAA anomalies and proposes corrections.

The introduction covers the main stack holders in the CAA platform, that is, certificate authorities, domain name holders, DNS operators, third-party auditors, and standard bodies, along with an approach for ethical considerations. The literature review features a history of CAA’s evolution and different security technologies. Avoidance, detection, and protection against misissuance are counted as salient mechanism for improving CAA security. The authors explore CAA’s security contributions and its robustness against attacks, as well as some of its weaknesses, for instance, “little protection against man-in-the-middle attacks.”

To evaluate the operation of certificate authorities (CAs), some categorized tests are carried out that definitely reflect malfunctions at issuance. The paper emphasizes the role of domain name holders in the success of CAA and examines deployment patterns, name server consistency, Domain Name System Security Extensions (DNSSEC), and “DNS operator support for CAA.”

Next, the role of a third-party auditor (RFC 6844) is investigated. Issuance anomalies, problematic CAA configurations, and exemplary CAA configurations are discussed, including several misissuances, pending renewal problems, and false positives. The paper’s end result is important recommendations, including “requiring valid signatures for DNSSEC-enabled domains,” “define strategy on name server inconsistency,” “removal of DNS operator privilege,” and “require DNS lookup security controls.”

The paper discusses a hierarchical structure of web security mechanisms based on CAA. In a well-written and structured manner, it also presents a good dissection of the CAA architecture. The provided proposals, both concise and comprehensive, reveal a tangible effort to improve security. In summary, the paper takes a significant look at CAA anomalies.

Reviewer: Mohammad Sadegh Kayhani Pirdehi

Review #: CR146791 (2004-0076)

Reproduction in whole or in part without permission is prohibited. Copyright 2024 ComputingReviews.com™
Terms of Use | Privacy Policy