Educause Security Discussion mailing list archives
Re: Certificate Authority Authorization (CAA)
From: Nadim El-Khoury <nel-khoury () SPRINGFIELD EDU>
Date: Fri, 2 Oct 2020 14:06:04 -0400
Hi Matt, Thank you for the advice and for the screenshot of your setup. I am then going to set it and run a SSL scan. Best, Nadim On Fri, Oct 2, 2020 at 1:59 PM Matt Weatherford <mbw () uw edu> wrote:
Nadim, + 1 ! Yes, its easy to do and gets you a higher score on the free SSL Labs testing site (a great resource for checking your site's compliance with the latest best practices) Here is a quick image of what we had to set in our DNS tool at the UW (attached) And heres the (free!) Qualsys SSL labs test page: https://www.ssllabs.com/ssltest/index.html that, once propagated, will confirm you did it correctly Best to you and yours, Matt Weatherford UW - Center for Studies in Demography and Ecology Seattle, WA On 10/2/20 6:10 AM, Frank Barton wrote: Nadim, YES, I also strongly setting up something to monitor Certificate Transparency reports to monitor for certificates being issued Frank On Thu, Oct 1, 2020 at 2:55 PM Nadim El-Khoury <nel-khoury () springfield edu> wrote:Hi Ken, Frank, Thank you for the feedback. Do you recommend that it gets implemented? Best, Nadim On Thu, Oct 1, 2020 at 1:32 PM Johnson, Ken <kenjohnson () letu edu> wrote:We set one up a couple years back – we have it limited to our legacy external CA provider as well as LetsEncrypt and have wildcards turned off. We used to have challenges with external providers wanting to be added and we did some host-based CAA stuff that worked with extra effort – but these days I think all our external vendors use LE so there aren’t really any issues anymore. *Ken Johnson * Chief Information Officer [o] 903.233.3500 [w] www.letu.edu *| *[t] @letuit <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fletuit&data=02%7C01%7C%7C0eac38a07f824368e8b908d5fca3c6a4%7C97a5855489f64d5a9806dd0ee085d235%7C1%7C0%7C636692702694986109&sdata=eDbAGos5PRiB%2B6%2B1fIoxbE8l%2FHstj0zh61ZboGHIiIc%3D&reserved=0> *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Nadim El-Khoury *Sent:* Monday, September 28, 2020 1:39 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Certificate Authority Authorization (CAA) Hi Everyone, Has anyone setup Certificate Authority Authorization (CAA) for their domain? If you did, did it work as expected or ran into issues? Best, Nadim ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ckenjohnson%40LETU.EDU%7C91ecbe59b5624ab1fc6808d863ddda10%7C97a5855489f64d5a9806dd0ee085d235%7C1%7C1%7C637369151800212099&sdata=JB2rwKAT8RIWAWF6282rGbwEaxTVB79lrHPY9YlcHnc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Certificate Authority Authorization (CAA) Johnson, Ken (Oct 01)
- Re: Certificate Authority Authorization (CAA) Nadim El-Khoury (Oct 01)
- Re: Certificate Authority Authorization (CAA) Frank Barton (Oct 02)
- Re: Certificate Authority Authorization (CAA) Matt Weatherford (Oct 02)
- Re: Certificate Authority Authorization (CAA) Nadim El-Khoury (Oct 02)
- Re: Certificate Authority Authorization (CAA) Nadim El-Khoury (Oct 02)
- Re: Certificate Authority Authorization (CAA) Frank Barton (Oct 02)
- Re: Certificate Authority Authorization (CAA) Nadim El-Khoury (Oct 01)