Document Date: Nov. 8, 2017

Summary

Commercial Certificate Authorities (CA) have implemented a new security feature known as ‘Certificate Authority Authorization DNS record checking’ or ‘CAA checking’. The feature operates as follows: when the CAA DNS record for a domain is populated with the name of a Certificate Authority, then no other commercial Certificate Authority will issue a certificate for that domain.

The Information Security group is considering configuring the CAA DNS record for ‘utoronto.ca’ with the Comodo Certificate Authority. If implemented, no CA other than Comodo will be able to issue a certificate for ‘utoronto.ca’ or any subdomain.

The implications of ‘CAA checking’ for the University are:

  1. The ITS Comodo re-selling service would be the primary service for obtaining certificates. (Features: cert products are available at no charge (funded by ITS budget), cert products are ‘Organization Validation’ rather than ‘Domain Validation’ (see below for explanation), certificate issuance process is vetted to ensure University staff is involved in process).
  2. Certificate ordering from any other CA would not be possible due to the CAA check.
  3. CAA checking is considered a requirement for CA operation by the CA/Browser Forum, the certificate industry regulatory body. Website auditing results may soon be affected by missing CAA entries.

Implementation Plan

  1. Information Security will configure CAA DNS records for ‘utoronto.ca’ domain on a chosen date. The change will have no effect on existing certificate deployment in services. When certificates are ordered or renewed after the chosen date, they must be ordered from Comodo CA only.
  2. Additional CA requirements or exceptions should be communicated to Information Security at security.admin@utoronto.ca. It is known that some cloud services implement certificate issuance via API and thus would need to be accounted for.

Questions and comments should be directed to ‘security.admin@utoronto.ca’.

Domain Validation vs. Organization Validation vs. Extended Validation

There are three classifications for the enrollment processes that CAs use to issue certificates.

Domain Validation (DV): CA checks domain name registration to ensure that cert applicant is the same as the domain owner. If not, the CA contacts the domain owner to vet the application.

Organization Validation (OV): CA does out-of-band validation of the organization that is the owner of the domain name. Checks include telephone numbers listed in trusted sources, Dunn and Bradstreet business registration.

Extended Validation (EV): CA conducts ‘extended’ validation over OV including obtaining letter from organization counsel, subscriber agreement adherence.

It is well known that DV certs are easy to obtain, malware distributors use them. OV and EV certs are much less likely to be used for malicious purposes.