Re: Certificate Authority Authorization (CAA)

[Nadim El-Khoury <nel-khoury () SPRINGFIELD EDU>]

Hi Matt,

Thank you for the advice and for the screenshot of your setup.
I am then going to set it and run a SSL scan.

Best,

Nadim

On Fri, Oct 2, 2020 at 1:59 PM Matt Weatherford <mbw () uw edu> wrote:

> Nadim,
>
> + 1  !
>
> Yes, its easy to do and gets you a higher score on the free SSL Labs
> testing site (a great resource for checking your site's compliance with the
> latest best practices)
>
> Here is a quick image of what we had to set in our DNS tool at the UW
> (attached)
>
> And heres the (free!)  Qualsys SSL labs test page:
> https://www.ssllabs.com/ssltest/index.html
>
> that, once propagated,  will confirm you did it correctly
>
>
> Best to you and yours,
>
> Matt Weatherford
>
> UW - Center for Studies in Demography and Ecology
>
> Seattle, WA
>
>
> On 10/2/20 6:10 AM, Frank Barton wrote:
>
> Nadim, YES, I also strongly setting up something to monitor Certificate
> Transparency reports to monitor for certificates being issued
>
> Frank
>
> On Thu, Oct 1, 2020 at 2:55 PM Nadim El-Khoury <nel-khoury () springfield edu>
> wrote:
>
> > Hi Ken, Frank,
> >
> > Thank you for the feedback.
> > Do you recommend that it gets implemented?
> >
> > Best,
> >
> > Nadim
> >
> > On Thu, Oct 1, 2020 at 1:32 PM Johnson, Ken <kenjohnson () letu edu> wrote:
> >
> > > We set one up a couple years back – we have it limited to our legacy
> > > external CA provider as well as LetsEncrypt and have wildcards turned off.
> > >
> > >
> > >
> > > We used to have challenges with external providers wanting to be added
> > > and we did some host-based CAA stuff that worked with extra effort – but
> > > these days I think all our external vendors use LE so there aren’t really
> > > any issues anymore.
> > >
> > >
> > >
> > > *Ken Johnson *
> > >
> > > Chief Information Officer
> > >
> > > [o] 903.233.3500
> > >
> > > [w] www.letu.edu *| *[t] @letuit
> > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fletuit&data=02%7C01%7C%7C0eac38a07f824368e8b908d5fca3c6a4%7C97a5855489f64d5a9806dd0ee085d235%7C1%7C0%7C636692702694986109&sdata=eDbAGos5PRiB%2B6%2B1fIoxbE8l%2FHstj0zh61ZboGHIiIc%3D&reserved=0>
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > *From:* The EDUCAUSE Security Community Group Listserv <
> > > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Nadim El-Khoury
> > > *Sent:* Monday, September 28, 2020 1:39 PM
> > > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > > *Subject:* [SECURITY] Certificate Authority Authorization (CAA)
> > >
> > >
> > >
> > > Hi Everyone,
> > >
> > >
> > >
> > > Has anyone setup Certificate Authority Authorization (CAA) for their
> > > domain?
> > >
> > > If you did, did it work as expected or ran into issues?
> > >
> > >
> > >
> > > Best,
> > >
> > >
> > >
> > > Nadim
> > >
> > > **********
> > > Replies to EDUCAUSE Community Group emails are sent to the entire
> > > community list. If you want to reply only to the person who sent the
> > > message, copy and paste their email address and forward the email reply.
> > > Additional participation and subscription information can be found at
> > > https://www.educause.edu/community
> > > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ckenjohnson%40LETU.EDU%7C91ecbe59b5624ab1fc6808d863ddda10%7C97a5855489f64d5a9806dd0ee085d235%7C1%7C1%7C637369151800212099&sdata=JB2rwKAT8RIWAWF6282rGbwEaxTVB79lrHPY9YlcHnc%3D&reserved=0>
> > >
> > > **********
> > > Replies to EDUCAUSE Community Group emails are sent to the entire
> > > community list. If you want to reply only to the person who sent the
> > > message, copy and paste their email address and forward the email reply.
> > > Additional participation and subscription information can be found at
> > > https://www.educause.edu/community
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
>
>
> --
> Frank Barton, MBA
> Security+, ACMT, MCP
> IT Systems Administrator
> Husson University
> PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community