search

SSLMate / caa_helper

Generate a CAA policy
https://sslmate.com/caa/
Mozilla Public License 2.0
152 stars 35 forks source link

TeleSec CA does support CAA #127

Closed knoepfchendruecker closed 3 years ago

knoepfchendruecker commented 3 years ago

Contrary to #3 , Deutsche Telekom/T-System's TrustCenter telesec.de (like any other CA nowadays) does support CAA records. The expected value is "telesec.de".

Quoting https://www.telesec.de/assets/downloads/PKI-Repository/Shared-Business-CA_CP-CPS_11.00_EN.pdf:

3.2.5.3 Checking CAA entries in the DNS The following applies for the issue of server certificates from a public certification authority (see Section 1.3.1.2.1): All FQDN entries are checked against the CAA entries in the DNS (Certification Authority Authorization; CAA Records for Fully Qualified Domain Names) in the scope of the authorization check. If one or more CAA resource records are found whose issue or issuewild property differs from "telesec.de", the certificate request will be rejected. If the issuewild property contains a semicolon ";", then a wildcard certificate request is always rejected. If there is no CAA resource record or the issue or issuewild-property of the CAA resource record is “telesec.de” the check will be completed. „TeleSec Shared Business CA” processes 8 CNAME chain records and limits the length of the chain to a maximum of 10 as recommended.

A simple example is the CA itself: telesec.de has CAA record 0 iodef "mailto:trustcenter.lastlevel@t-systems.com" telesec.de has CAA record 0 issue "telesec.de" telesec.de has CAA record 0 issuewild "telesec.de"

… but also Germany's largest freemail services GMX/Web.de use certificates issued by telesec.de:

gmx.net has CAA record 0 issue "Digicert.com" gmx.net has CAA record 0 issue "telesec.de" gmx.com has CAA record 0 issue "telesec.de" gmx.com has CAA record 0 issue "Digicert.com" web.de has CAA record 0 issue "Digicert.com" web.de has CAA record 0 issue "telesec.de"

knoepfchendruecker commented 3 years ago

Right now, such certificates do show up in caa_helper like this:

gmx.net. IN CAA 0 issue "digicert.com" gmx.net. IN CAA 0 issue "1549.unknown-ca.caarecord.org" gmx.net. IN CAA 0 issue "2747.unknown-ca.caarecord.org"

… so adding telesec.de might be a good idea.

AGWA commented 3 years ago

This CA is already listed under "Deutsche Telekom Security". I've added "TeleSec" as an alias to avoid future confusion.

Note that since this CA is not a direct participant in Mozilla's PKI Program (which is where we get CAA information), it is not currently detected by the auto-generate feature. This problem is being tracked in #78.