Jóhann B. Guðmundsson <johannbg@gmail.com> writes:
How on earth is having a CAA record which pin points who is allowed to issue certificates
No, it doesn't. It's merely a hint to CAs. It cannot prevent spoofed certificates if any CA is compromised, or fails to validate the CAA record for other reasons. TLS clients are unable to detect spoofed certificates using CAA, since there is no sane way to map between CA certificate and the CAA record. It depends on ultimate trust in every browser root CA. CAA is mostly smoke and mirrors. TLSA allows you to pin CA certificates or server certificates so that it can be validated by everyone. It will protect against rogue or compromised CAs. And you don't need to trust any of them. You can pin your own certificate instead. Yes, CAA is inferior. It would have been funny if it wasn't for the fact that people actually believe in this stuff. Bjørn