Raising the Bar: The CA/B Forum’s Move to Extend CAA to S/MIME

The CA/B Forum has initiated a ballot requiring CAs (Certificate Authorities) to adopt CAA (CA Authorization) processing for email addresses included in S/MIME certificates.

What Exactly is CAA (Certification Authority Authorization)??

A CAA record can be considered a DNS Resource Record (a piece of information stored in the DNS Zone database that provides details about a specific object within that domain). This allows an owner of a particular domain to specify which CAs are authorized to issue certificates of a particular kind for their domain and which are not.?

The idea is that a CA checks a domain’s CAA records before issuance of a certificate. If it finds that the domain has no CAA record, then the certificate is issued for it after all authentication checks succeed. However, if it encounters CAA records, the CA can only issue a certificate if it is named in one of the records, which indicates that it is authorized to issue a certificate for that domain.?

To learn more about this topic, visit Encryption Consulting