Closed knoepfchendruecker closed 3 years ago
Right now, such certificates do show up in caa_helper like this:
gmx.net. IN CAA 0 issue "digicert.com" gmx.net. IN CAA 0 issue "1549.unknown-ca.caarecord.org" gmx.net. IN CAA 0 issue "2747.unknown-ca.caarecord.org"
… so adding telesec.de might be a good idea.
This CA is already listed under "Deutsche Telekom Security". I've added "TeleSec" as an alias to avoid future confusion.
Note that since this CA is not a direct participant in Mozilla's PKI Program (which is where we get CAA information), it is not currently detected by the auto-generate feature. This problem is being tracked in #78.
Contrary to #3 , Deutsche Telekom/T-System's TrustCenter telesec.de (like any other CA nowadays) does support CAA records. The expected value is "telesec.de".
Quoting https://www.telesec.de/assets/downloads/PKI-Repository/Shared-Business-CA_CP-CPS_11.00_EN.pdf:
A simple example is the CA itself: telesec.de has CAA record 0 iodef "mailto:trustcenter.lastlevel@t-systems.com" telesec.de has CAA record 0 issue "telesec.de" telesec.de has CAA record 0 issuewild "telesec.de"
… but also Germany's largest freemail services GMX/Web.de use certificates issued by telesec.de:
gmx.net has CAA record 0 issue "Digicert.com" gmx.net has CAA record 0 issue "telesec.de" gmx.com has CAA record 0 issue "telesec.de" gmx.com has CAA record 0 issue "Digicert.com" web.de has CAA record 0 issue "Digicert.com" web.de has CAA record 0 issue "telesec.de"