Email or username:

Password:

Forgot your password?
Top-level
Jan Schaumann

Who is the "holder of the issuer-domain-name" for, say, geotrust.com, rapidssl.com, or thawte.com?

That's right: DigiCert.

So by specifying 'geotrust.com' in your CAA record, you are implicitly also granting the various DigiCert subsidiaries authorization, which really isn't obvious at all.

13 comments
Jan Schaumann replied to Jan

If we then add up the various related CA domains, our breakdown looks more like this:

Pie chart Top CAA issue records (all TLDs): Comodo (29.9%), DigiCert (24%), letsencrypt.org (23.8%), globalsign.com (16.3%)
Pie chart CAA issue records in Top1M Domains: letsencrypt.org (25.6%), Comodo (22.5%), DigiCert (21.1%), pki.goog (12.8%)
Pie chart CAA issuewild records for all TLDs: Comodo (33%), letsencrypt.org (22.2%), DigiCert (20.5%), globalsign.com (19.2%)
CAA issuewild records for Top 1M Domains: Comodo (25.1%), letsencrypt.org (23%), DigiCert (22%), pki.goog (15.5%)
Jan Schaumann replied to Jan

Or, if you prefer Pareto charts to better illustrate the cumulative concentration:

Pareto Chart Top CAA issue records (all TLDs)
Pareto Chart Top CAA issue records (Top 1M Domains)
Pareto Chart Top CAA issuewild records (all TLDs)
Pareto Chart Top CAA issuewild records (Top 1M Domains)
Jan Schaumann replied to Jan

Authorizing a given CA can still be too broad for your taste, which is why RFC8657 specifies the 'accounturi' and 'validationmethods' parameter extensions.

There's also a draft extension for Signed HTTP Exchanges ('cansignhttpexchanges') that appears to only be supported by DigiCert and pki.goog.

The usage of these parameters is quite limited:

Table: extension parameter | count (all TLDs) | count (Top1M Domains)

cansignhttpexchanges 	259,245 	17,108
validationmethods 	559 	43
accounturi 	243 	29
account 	163 	29
root 	11 	0
policy 	9 	4
Jan Schaumann replied to Jan

In conclusion, after analyzing around 214 million domain names for CAA records, the following are worth noting:

1) CAA records are still not widely used.

Across all TLDs, only 1.4% of domains use CAA records; out of the Top 1M Domains, only 4.8%.

Considering that CAA records have been around since 2010 and honoring them has been mandatory for CAs since 2017, this seems like a pretty poor adoption rate.

Jan Schaumann replied to Jan

2) Most people don't set 'iodef'.

Those domains that do use CAA records tend to use the 'issue' and 'issuewild' records, but only minuscule fraction (0.9% of all TLDs' domains; 3.2% of the Top 1M Domains) set 'iodef'.

Jan Schaumann replied to Jan

3) Extensions are not widely used.

The dominance of the 'cansignhttpexchanges' parameter here surprised me, but could be explained by being pushed without industry agreement by Google as part of their "Accelerated Mobile Pages" (AMP) framework?

Jan Schaumann replied to Jan

And finally, and most importantly:

4) A small number of CAs dominate.

Only 7 Certificate Authorities account for over 99% of all CAA 'issue'/'issuewild' records (10 CAs for 99% of the Top 1M Domains).

3 alone account for over 75%: Comodo, DigiCert, and Let's Encrypt.

Jan Schaumann replied to Jan

Even though this only covers the small percentage of domains that do set CAA records, I would not be surprised if the overall use of CAs across all domains followed a similar -- and similarly centralized -- distribution.

(In some markets, regional players will play a bigger role; once again the inability to get access to all ccTLD zones makes this difficult to assess.)

Jan Schaumann replied to Jan

So no, you probably could replace your giant trust bundle with fewer than... 20 or so root CA certs and not notice a difference, I'd guess.

But whether that's a good thing, whether it's wise for the entire internet to place all -- well, >99% -- of its certificates/eggs into fewer than 10 CAs/baskets seems more than questionable.

Jan Schaumann replied to Jan

And that's it for today - thanks for playing "Whose Cert Is It Anyway?" โœŒ๏ธ

This thread is available as a blog post here:

netmeister.org/blog/caa-divers

Jan Schaumann replied to Jan

P.S.: This was the third blog post in a series on the centralization of the internet.

Part 1, covering NS records, can be found here:
netmeister.org/blog/nsauth-div

Or, as a Twitter thread:
twitter.com/jschauma/status/15

Go Up