Giter Club home page Giter Club logo

caa-test's Introduction

CAA Issuance Tests

We conduct controlled experiments to analyze whether CAs hone the CAA record that has come into effect on September 8, 2017.

We conduct 1 round of tests right at CAA record effectiveness (around September 9), and a round of re-tests a month later (October 10th).

UPDATE 2017-11-23: We have identified issuance anomalies based on historic DNS records Link

UPDATE 2017-11-15: DigiCert has done an extense review of our test case D2, and even identified 4 new certificates affected by the same problem. Bugzilla

Test Domain Setups

We set up several test domains to check various corner cases of CAA deployment.
This list has some overlap with the nice work at https://caatestsuite.com/

Zone files can be found under zonefiles/.

Domain Setup Expected CA Behavior FQDNs Zone
D1 Zone signed, CAA: 0 issue ";" Refuse crossbear.net, gazebear.net gazebear.net
D2 [1] Zone signed, Timeout on CAA record Refuse crossbear.org, gazebear.org gazebear.org
D3 Not signed, issue permitted, but critical flag and nonexistent CAA record set Refuse measr.net, gazebear.mobi gazebear.mobi
D4 Not signed, timeout on CAA record Retry, then Refuse or Issue perenaster.com, gazebear.info gazebear.info
D5 www --> D1 Refuse www.gazebear.online, www.gazebear5.com www.gazebear.online, www.gazebear5.com
D6 www --> www.D1 Refuse or Issue www.gazebear.pet, www.gazebear6.com (informational test)
D7 hash-ca, issue permissive Issue HASH.gazebear.site (informational test)
D8 hash-ca, issue denied Reject HASH.gazebear.site (informational test)

For case D4, RFC and CAB Ballot permit a CA to issue. However, CAs may (and maybe should) be more conservative and decide to refuse to issue after a timeout no the CAA record.

[1] More explanation on D2: The zonefile contains an "issue ;" CAA record, and all CAA replies for that zone are dropped. As the zone is signed, even in case of a non-dropped reply, no CA would be authorized to issue.

CA Test Results

The table header contains the expected result.

The first result indicates the result of the first test in September 2017, the second result the re-test in October 2017.

For example (Refused/Issued) indicates that a CA refused to issue in the first test in September, but issued in the re-test in October.

CA D1 (R) D2 (R) D3 (R) D4 (Any) D5 (R) D6 (Any) D7 (I) / D8 (R) Contact
RapidSSL [1] (Symantec) Refused/Refused Refused/Issued (Zone, Bug) Refused/Refused Refused/Issued -/Refused --/Issued Issued 13.10.17, 11:43 CEST
Comodo InstantSSL [5] Issued/Refused Issued/Issued (Zone)/Issued [4] Issued/Refused Issued/Issued (Zone) -/Refused -/Issued -/Issued 13.10.17, 11:47 CEST
LetsEncrypt Refused/Refused Refused/Refused Refused/Refused Refused/Refused -/Refused -/Issued -/Issued No need
GoDaddy Refused/Refused Refused/Refused Refused/Refused Issued/Issued -/Refused -/Issued D8: Refused No need
Startcom Refused/Pending Issued/Issued(Bug) Refused/Refused Refused/Issued -/Issued(Zone,Bug) -/Issued -/Issued 16.10.17, 15:15 CEST
Buypass [2] Refused/Refused Issued/Refused Refused/Refused (measr.net) Cancelled/Issued -/Refused -/ Refused D8: Refused No need
Certum Refused/Refused Issued/Refused Refused/Issued (Zone,Bug) Issued/Issued -/Issued (Zone, Bug) -/Issued -/Issued 16.10.17, 14:16 CEST
Sum 1/0 4/3 1/1 3/6 -/2 -/6 informational
Digicert Refused/Refused -/Refused -/Refused -/Issued -/Refused -/Issued -/Issued No need
Network Solution [3] Pending/- -- -- --
AlphaSSL (GlobalSign) -/Refused -/Refused -/Refused Issued -/Refused -/Issued -/D8: Refused No need
SSL.com [5] (Comodo Brand) -/Issued(Zone,Bug) -/Issued -/Pending -/Issued -/Pending -/Issued -/Issued
Thawte Trial (Symantec) -/Refused -/Issued -/Refused -/Issued -/Refused -/Issued -/Issued not CT compatible
Symantec -/Refused -/Refused -/Refused -/Issued -/Refused -/Issued -/Issued No need
GeoTrust (Symantec) -/Refused -/Issued -/Pending -/Issued -/Refused -/Issued -/tested above
SSL.com Basic -/Refused -/Issued -/ -/ -/ -/ -/ Comodo reseller

[1] Other Symantec brands with same backend as RapidSSL not tested individually. FIrst refusal might have been due to missing locality in CSR, we validated second-round CSRs using this checker

[2] First test for D4 cancelled after 2 days in pending, likely in wake of our bug report for D2.

[3] Due to the high cost of certificates and lengthy validation process, we only tested the basic case for DigiCert and Network Solutions.

[4] Comodo instantly reacted to our report and changed their system behaviour. An immediate re-test led to issuance 2 days later. Comodo then stated that they had to revert back to the old behavior for operational reasons.

[5] Though SSL.com delivers Comodo certificates and uses the comodo backend, its observable behaviour differed.

Discussion on D2

Comodo First Round Bug Report

We will update this page as more information becomes available. You are very welcome to contact us through email/phone as listed on https://www.net.in.tum.de/members/scheitle/

Further information and opt-out contacts are given under https://net.in.tum.de/projects/gino/

Useful Links:

RapidSSL/GeoTrust/Symantec/Thawte Trial Certificates

Comodo 1 2

Certum

CSR checker

Mozilla NSS Mis-Issuance Bugtracker

Mozilla CA contacts

SSL.com revoke mechanism

caa-test's People

Watchers

avatar avatar

Forkers

riking jsoref

caa-test's Issues

Issuing after retry is optional

Hey, thanks for posting your CAA tests! It is great to have a second set of public CAA tests.

I have a nit regarding D4 (Not signed, timeout on CAA record). The table says the "expected CA behavior" is "Issue after retry." I think the table should say "Refuse or issue after retry," since CAs are permitted to be more restrictive than required. Not issuing after a timeout is definitely the safer CA behavior, so I hate to see anything that suggests CAs are expected to do it :-)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.