DFN CA Missing

[joker234]

Thanks for the tool. Please include DFN as CA.

. CAA 0 issue "pki.dfn.de"

Source (German only): https://blog.pki.dfn.de/2017/03/rfc-6844-certification-authority-authorization-caa/

[AGWA]

This is going to need to be special cased, as the Mozilla report groups DFN-PKI with T-Systems.

[joker234]

Hmm yes this isn't a CA which is included common OS/browsers. This is a intermediate CA signed by DeutscheTelekom Root CA 2.

Do you consider including intermediate CAs? If not you can close this issue.

[AGWA]

Yes, I definitely want to include intermediate CAs, and have asked Mozilla to collect CAA identifiers on a per-intermediate basis. Until then, I'll have to add intermediate CAs manually, and I don't have a good way to do that yet.

[brauckmann]

The current state may be confusing for people who rely on caa_helper, as you are using just the first issue domain for each CA. There are many CAs with a lot of issue domains, and I guess that just using the first breaks several more intermeditate CAs, not just DFN-PKI.

You already have all names in cas.xml in ca:caa. Wouldn't it be more correct to generate rule sets with all ca:caa values per CA?

To do that, you could simply replace https://github.com/SSLMate/caa_helper/blob/1cfc66959599e602ac7e1154b5be09ba11551047/generator.js#L176

with

var values= inputs[i].value.split(' ');
for (var j = 0; j < values.length; ++j) {
    items.push(values[j]);
}

Thanks for caa_helper, BTW. Especially the Legacy Zone File encoding is very valuable.

[AGWA]

I don't want to generate CAA records containing all the CAA identifiers because it would result in huge record sets, and it's not clear that it's needed except for DFN-PKi. For instance, Symantec's many CAA identifiers are all equivalent. They are not for externally-operated intermediates.

Instead, I added an extra_cas.xml file for listing special CAs such as DFN-PKi.