Talk:DNS Certification Authority Authorization
This is the talk page for discussing improvements to the DNS Certification Authority Authorization article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
DNS Certification Authority Authorization has been listed as one of the Engineering and technology good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it. | ||||||||||
| ||||||||||
A fact from this article appeared on Wikipedia's Main Page in the "Did you know?" column on July 20, 2018. The text of the entry was: Did you know ... that DNS Certification Authority Authorization was developed after a series of incorrectly issued digital certificates damaged public trust in issuing authorities? |
This article is rated GA-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||
|
Use by TLS clients
editI think the idea that CAA is supposed to be used by TLS clients is mistaken:
https://tools.ietf.org/html/rfc6844#section-6 says:
The objective of the CAA record properties described in this document is to reduce the risk of certificate mis-issue rather than avoid reliance on a certificate that has been mis-issued. DANE [RFC6698] describes a mechanism for avoiding reliance on mis-issued certificates.
This came up because I was trying to give someone advice about using CAA to prevent misissuance by having a blanket-deny policy most of the time, except while actually requesting certs. Can we confirm this? Schoen (talk) 20:13, 14 November 2016 (UTC)
- @Schoen: I can confirm that CAA is only implemented by CAs, and not by TLS clients. You should however, be using short certificate lifetimes and automating certificate issuance if at all possible, so this advice probably isn't useful. TheDragonFire (talk) 14:07, 14 October 2017 (UTC)
GA Review
editGA toolbox |
---|
Reviewing |
- This review is transcluded from Talk:DNS Certification Authority Authorization/GA1. The edit link for this section can be used to add comments to the review.
Reviewer: RonaldDuncan (talk · contribs) 16:03, 5 June 2018 (UTC)
My first impression is that the article is a little light/too short, and that a diagram would be a big help in getting over the concept. It would be good to provide some more references whilst expanding the article. e.g the RFC is 18 pages long and has a list of references. RonaldDuncan (talk) 16:03, 5 June 2018 (UTC)
- @RonaldDuncan: Hey! Thank you for taking this on. There are three areas of concern that I anticipate for this nomination:
- The article is a little short on prose, stemming partially from the limited size of the subject area, and partially from my difficulty as a subject-matter expert in using extra prose to make the article understandable.
- The article has less reliable sources than ideal, again stemming from the small amount of writing in the area – most search results are general how-to guides from certificate authorities.
- The article is missing a proper lead, and as a result is a little confused with the story it's trying to tell.
- I think that with your kind advice here, I can rewrite and restructure as necessary, and get this article up to GA standard during the course of this review. I will have a think about your request for a diagram, I may be able to make something but what would you like it to include? The normative references in the RFC are more related to the standards that the RFC depends upon (e.g. CAA is a DNS record, so it needs a normative reference to the DNS standard), rather than directly relevant to CAA at all. TheDragonFire (talk) 13:32, 6 June 2018 (UTC)
- @TheDragonFire: Hi I did a quick google and found https://www.slideshare.net/MenandMice/the-caarecord-for-increased-encryption-security which has a lot of diagrams on the process. You could see which ones you think would enhance the article, and have a look for other images. The images search may well help you find some other sources, since they will probably be part of articles on the process. The how-to guides from the certificate authorities are helpful, there is already one in the article as a reference. It is a bit of a challenge this part, but since the standard was written by two people that work for Comodo, and Comodo is referenced as the CA that did not have it working for the introduction that is part of life's rich problems. RonaldDuncan (talk) 13:45, 6 June 2018 (UTC)
- @RonaldDuncan: Can I just clarify, are you planning to complete a full review against the good article criteria? GA criteria 6 is only applicable
if media with acceptable copyright status is appropriate and readily available
, which it is not (copyright issues, and most graphics are very poor quality). I'm happy to look into creating something myself, but that should not stop this review progressing (no worries at all if you are just taking your time). I've fixed the lead a little. TheDragonFire (talk) 17:07, 6 June 2018 (UTC)- @TheDragonFire: Hi am going to do a full review against the criteria. I just wanted to be upfront with the things that I thought were likely to be issues.RonaldDuncan (talk) 18:14, 6 June 2018 (UTC)
- @RonaldDuncan: Can I just clarify, are you planning to complete a full review against the good article criteria? GA criteria 6 is only applicable
- @TheDragonFire: Hi I did a quick google and found https://www.slideshare.net/MenandMice/the-caarecord-for-increased-encryption-security which has a lot of diagrams on the process. You could see which ones you think would enhance the article, and have a look for other images. The images search may well help you find some other sources, since they will probably be part of articles on the process. The how-to guides from the certificate authorities are helpful, there is already one in the article as a reference. It is a bit of a challenge this part, but since the standard was written by two people that work for Comodo, and Comodo is referenced as the CA that did not have it working for the introduction that is part of life's rich problems. RonaldDuncan (talk) 13:45, 6 June 2018 (UTC)
@TheDragonFire: Hi I have done a full review against the criteria, I still think that the issue that we have both raised of the shortness of the article is an issue. Your thoughts are welcome RonaldDuncan (talk) 14:30, 7 June 2018 (UTC)
- Thanks a lot for this. I will try to work on ironing out criteria 2b and 3 over the next few days. TheDragonFire (talk) 14:38, 7 June 2018 (UTC)
- Okay so I had to make a bunch of changes. I've removed the support table because it was apparently conflating several different classes of DNS software, and ignored the fact that DNS servers are very easily configured to serve new resource records types even if they don't "know" about them. I found several new sources, and I'm now confident that I've got a source to back up everything that's said in the article. One of these sources is a timeline of TLS history that clarified a few things for me, and now the Background section is a more accurate as a result. The total length of the article hasn't really gone up, but there is now slightly more information presented more concisely. I think this is everything that's covered in reliable sources now, part of why I choose this for a GA is that it's a very narrow topic. Things like HTTP Public Key Pinning (my possible next GA) have a lot more meat to them. If you could take a look and tell me how you feel about it, that would be appreciated. TheDragonFire (talk) 13:43, 9 June 2018 (UTC)
- @TheDragonFire: Thanks for all the additional work. I think we agree that a long article on this topic is not appropriate, so the question is how long is a good article. I think an answer is the right length for the subject, and so this is a good article. Let me know if you agree or disagree :) RonaldDuncan (talk) 16:03, 11 June 2018 (UTC)
- @RonaldDuncan: I'm happy to pass this now if you are. TheDragonFire (talk) 16:07, 11 June 2018 (UTC)
- @TheDragonFire: Thanks for all the additional work. I think we agree that a long article on this topic is not appropriate, so the question is how long is a good article. I think an answer is the right length for the subject, and so this is a good article. Let me know if you agree or disagree :) RonaldDuncan (talk) 16:03, 11 June 2018 (UTC)
- Okay so I had to make a bunch of changes. I've removed the support table because it was apparently conflating several different classes of DNS software, and ignored the fact that DNS servers are very easily configured to serve new resource records types even if they don't "know" about them. I found several new sources, and I'm now confident that I've got a source to back up everything that's said in the article. One of these sources is a timeline of TLS history that clarified a few things for me, and now the Background section is a more accurate as a result. The total length of the article hasn't really gone up, but there is now slightly more information presented more concisely. I think this is everything that's covered in reliable sources now, part of why I choose this for a GA is that it's a very narrow topic. Things like HTTP Public Key Pinning (my possible next GA) have a lot more meat to them. If you could take a look and tell me how you feel about it, that would be appreciated. TheDragonFire (talk) 13:43, 9 June 2018 (UTC)
OK I had a look at Wikipedia:Article_size and since it is over 1K (10k), I think it is OK to pass as a good article. Interested in any other editors opinions, otherwise I will pass as a good article tomorrow. RonaldDuncan (talk) 16:16, 11 June 2018 (UTC)
- @Aircorn: You're generally my goto GAN ninja. Do you have a moment to sanity check this? TheDragonFire (talk) 17:43, 11 June 2018 (UTC)
- Article size should not be an issue. It is more whether the reviewer thinks anything is missing. Not familiar enough with the topic to offer an opinion on this myself, but a google search could help. Remember good articles are not perfect, or even great, so there can be some gaps if they are minor or unsourcable. It is ultimately up to the reviewer. Since I was pinged I will say I am not too enthused about the unsourced WP:example farm. Seems a bit like original research to me. Any other specific questions feel free to re ping me. AIRcorn (talk) 16:17, 13 June 2018 (UTC)
- Thanks @Aircorn: and sorry @TheDragonFire: that tomorrow has turned into 11 days. I think it is a good article, and will go ahead on that basis. I have one suggestion for improvement which is around why this is required which could be expanded with links to some of the issues around certificate compromise. DigiNotar Man-in-the-middle_attack HTTP_Public_Key_Pinning Comodo_Group#Certificate_hacking some background links on the results (just observations not for article) https://www.trustwave.com/Resources/SpiderLabs-Blog/Intercepting-SSL-And-HTTPS-Traffic-With-mitmproxy-and-SSLsplit/ https://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml https://www.eff.org/document/20141228-speigel-analysis-ssl-tls-connections-through-gchq-flying-pig-database RonaldDuncan (talk) 15:39, 22 June 2018 (UTC)
- @RonaldDuncan: I'll have a look at some of that material and see what I can do, although perhaps it might be better editorially to expand Certificate authority#CA compromise instead (perhaps that can be my next GA). Thank you very much for this review. TheDragonFire (talk) 15:50, 22 June 2018 (UTC)
- @TheDragonFire: I have put it into https://en.wikipedia.org/wiki/Wikipedia:Good_articles/Engineering_and_technology#Cryptography it could be argued that it should be in the Websites and the Internet category. Please change if you think that is a better category for the article :) --expand Certificate authority#CA compromise by all means. My thought was a few words to explain in this article RonaldDuncan (talk) 15:55, 22 June 2018 (UTC)
- @RonaldDuncan: I'll have a look at some of that material and see what I can do, although perhaps it might be better editorially to expand Certificate authority#CA compromise instead (perhaps that can be my next GA). Thank you very much for this review. TheDragonFire (talk) 15:50, 22 June 2018 (UTC)
- Thanks @Aircorn: and sorry @TheDragonFire: that tomorrow has turned into 11 days. I think it is a good article, and will go ahead on that basis. I have one suggestion for improvement which is around why this is required which could be expanded with links to some of the issues around certificate compromise. DigiNotar Man-in-the-middle_attack HTTP_Public_Key_Pinning Comodo_Group#Certificate_hacking some background links on the results (just observations not for article) https://www.trustwave.com/Resources/SpiderLabs-Blog/Intercepting-SSL-And-HTTPS-Traffic-With-mitmproxy-and-SSLsplit/ https://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml https://www.eff.org/document/20141228-speigel-analysis-ssl-tls-connections-through-gchq-flying-pig-database RonaldDuncan (talk) 15:39, 22 June 2018 (UTC)
Rate | Attribute | Review Comment |
---|---|---|
1. Well-written: | ||
1a. the prose is clear, concise, and understandable to an appropriately broad audience; spelling and grammar are correct. | ||
1b. it complies with the Manual of Style guidelines for lead sections, layout, words to watch, fiction, and list incorporation. | ||
2. Verifiable with no original research: | ||
2a. it contains a list of all references (sources of information), presented in accordance with the layout style guideline. | ||
2b. reliable sources are cited inline. All content that could reasonably be challenged, except for plot summaries and that which summarizes cited content elsewhere in the article, must be cited no later than the end of the paragraph (or line if the content is not in prose). | Some of best examples are from connected commercial organisations (CAAs) | |
2c. it contains no original research. | ||
2d. it contains no copyright violations or plagiarism. | only potential issue is the examples which have been changed from the source | |
3. Broad in its coverage: | ||
3a. it addresses the main aspects of the topic. | ||
3b. it stays focused on the topic without going into unnecessary detail (see summary style). | May be too brief | |
4. Neutral: it represents viewpoints fairly and without editorial bias, giving due weight to each. | ||
5. Stable: it does not change significantly from day to day because of an ongoing edit war or content dispute. | ||
6. Illustrated, if possible, by media such as images, video, or audio: | ||
6a. media are tagged with their copyright statuses, and valid non-free use rationales are provided for non-free content. | No Images! | |
6b. media are relevant to the topic, and have suitable captions. | No Images! | |
7. Overall assessment. | Thanks |
Examples
editWhen using a subdomain, certificate authorities climb the DNS name tree looking for a CAA record until they find one or reach the second-level domain:
; The certificate authority will be permitted to issue certificates for example.com and certs.nocerts.example.com, but not nocerts.example.com example.com. IN CAA 0 issue "ca.example.net" nocerts.example.com. IN CAA 0 issue ";" certs.nocerts.example.com. IN CAA 0 issue "ca.example.net"
If a record is empty, any CNAME or DNAME aliases are checked for a CAA record before moving up to a higher subdomain:
; The certificate authority will be allowed to issue certificates for certs.example.com example.net. IN CAA 0 issue "ca.example.net" example.com. IN CAA 0 issue ";" certs.example.com. IN CNAME example.net
To authorise issuance for normal certificates, while restricting the issuance of wildcard certificates:
example.com. IN CAA 0 issue "ca.example.net" example.com. IN CAA 0 issuewild ";"
To authorise issuance for example.com but not nocerts.example.com:
example.com. IN CAA 0 issue "ca.example.net" nocerts.example.com. IN CAA 0 issue ";"
Moved from the article due to sourcing concerns. TheDragonFire (talk) 12:04, 12 July 2018 (UTC)