[ale] Let's Encrypt issue starting March 4th
Lightner, Jeffrey
JLightner at dsservices.com
Wed Mar 4 14:24:09 EST 2020
This appears to only be a problem if you publish a CAA record for the domain to which the cert applies.
I looked at CAA records when they first came out and determined they don't have much value as a security mechanism.
Only the Certificate Authorities (DigiCert, Symantec, LetsEncrypt, etc...) check for CAA to determine if they're allowed to issue for a given domain. Any CA that doesn't do validation of domain ownership also wouldn't bother to check for CAA. I've read nothing suggesting anyone other than CAs else is comparing CAA to the actual certificate issuer as a check to verify web traffic is truly authorized.
-----Original Message-----
From: Ale <ale-bounces at ale.org> On Behalf Of DJ-Pfulio via Ale
Sent: Tuesday, March 03, 2020 6:48 PM
To: ale at ale.org
Subject: Re: [ale] Let's Encrypt issue starting March 4th
On 3/3/20 5:59 PM, Scott M. Jones via Ale wrote:
> Tomorrow, Let's Encrypt will be invalidating about 3 million out of
> 113 million certs issued, due to CAA bug.
>
> https://www.cyberciti.biz/security/letsencrypt-is-revoking-certificate
> s-on-march-4/
Domains with a single cert are NOT impacted.
Someone created a site for people to check their LE certs:
https://checkhost.unboundtest.com/
_______________________________________________
Ale mailing list
Ale at ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list