Certificate Authority Authorization Record Collection and Analysis

Abstract

Certificates are important parts of the Web Public Key Infrastructure that allow domains to prove their identity to connecting clients. Mis-issuance of certificates by Certificate Authorities (CAs) or malicious attack of this process could have disastrous security consequences and incur severe financial loss, for example, from cryptocurrency theft. Certificate Transparency (CT) is a system adopted in 2013 that gives public visibility into certificate issuance for monitoring. CT logs record the issuance of a certificate. Certificate Authority Authorization (CAA) records allow domain owners choose CAs they trust to get certificates. However, there are insufficient checking whether CAs issue certificates according to CAA standards; and no study has investigated the intersection of CT logs and CAA compliance and usage. Our work implemented a comprehensive CT log monitor that performs basic CAA record compliance analysis when a new certificate issuance is recorded in a CT log, overcoming the significant time delay between new entries collection and CAA records checking. Our distributed system design also addresses the incompleteness in collection present in other CT monitors. By comprehensively monitoring all publicly trusted CT logs, we hope to achieve a global view of the CAA record landscape and to gather rate of CAA and DNSSEC usage by domains. Currently, our algorithm requests 300 CT log entries per second with response rate at 50-75%, and asynchronously sends DNS CAA Record requests for domains associated with these entries. Our data analysis revealed the general landscape of CAA records, such as the frequency of certificate issuance by the CAs, whether CAA records significantly change the distribution etc.