[Openid-specs-fapi] Issue #692: CAA records (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Wed May 8 14:53:13 UTC 2024
New issue 692: CAA records
https://bitbucket.org/openid/fapi/issues/692/caa-records
Dave Tonge:
5\.2.1. Requirements for all endpoints
NOTE 1: Even if an endpoint uses only organization validated \(OV\) or extended validation \(EV\) TLS certificates, an attacker using rogue domain-validated certificates is able to impersonate the endpoint and conduct man-in-the-middle attacks. CAA records \[RFC8659\] help to mitigate this risk.
\[Rifaat\] The above statement is suggesting that implementation should consider implementing CAA records to avoid this attack. Why not explicitly call that out, instead of mentioning this in a note?
More information about the Openid-specs-fapi
mailing list