Closed joker234 closed 6 years ago
This is going to need to be special cased, as the Mozilla report groups DFN-PKI with T-Systems.
Hmm yes this isn't a CA which is included common OS/browsers. This is a intermediate CA signed by DeutscheTelekom Root CA 2.
Do you consider including intermediate CAs? If not you can close this issue.
Yes, I definitely want to include intermediate CAs, and have asked Mozilla to collect CAA identifiers on a per-intermediate basis. Until then, I'll have to add intermediate CAs manually, and I don't have a good way to do that yet.
The current state may be confusing for people who rely on caa_helper, as you are using just the first issue domain for each CA. There are many CAs with a lot of issue domains, and I guess that just using the first breaks several more intermeditate CAs, not just DFN-PKI.
You already have all names in cas.xml in ca:caa. Wouldn't it be more correct to generate rule sets with all ca:caa values per CA?
To do that, you could simply replace https://github.com/SSLMate/caa_helper/blob/1cfc66959599e602ac7e1154b5be09ba11551047/generator.js#L176
with
var values= inputs[i].value.split(' ');
for (var j = 0; j < values.length; ++j) {
items.push(values[j]);
}
Thanks for caa_helper, BTW. Especially the Legacy Zone File encoding is very valuable.
I don't want to generate CAA records containing all the CAA identifiers because it would result in huge record sets, and it's not clear that it's needed except for DFN-PKi. For instance, Symantec's many CAA identifiers are all equivalent. They are not for externally-operated intermediates.
Instead, I added an extra_cas.xml
file for listing special CAs such as DFN-PKi.
Thanks for the tool. Please include DFN as CA.
Source (German only): https://blog.pki.dfn.de/2017/03/rfc-6844-certification-authority-authorization-caa/