Comment by nucleardog

Comment by nucleardog a day ago

0 replies

View on Hacker News

Not that it removes you entirely from the PKI ecosystem as you seem to desire, but in case you’re not aware since 2017 CAs are required to check and honour the CAA DNS records you set. These specify which CAs are allowed to issue certificates for your domain.

If any CA issues a certificate anyway, they’re in violation of requirement 3.2.2.8. Don’t know what you’re up to, but I have to imagine it would have to be pretty interesting to someone for one of those companies to face down an existential threat and misissue a certificate for your domain.