Tests for CAA are ongoing
Secured pages are often spied by so-called malicious "man-in-the-middle" organizations. For a requested website, they provide the actual website and, if necessary, protect it with a certificate. However, this certificate is rarely a certificate from a certification authority that has the actual website in use. Since secret service organizations are often behind the "man-in-the-middle" activities, certification authorities can issue these certificates by check of malicious validation email addresses which are rerouted to such organizations or other misuse.
CAA, as a new regulation, forces all certification authorities to check whether their certification authority is listed in the DNS entry as an authorized issuer of certificates before issuing new certificates. If this is not the case, the certificate may not be issued. The procedure will be mandatory this autumn. Currently, SwissSign is already testing the behavior on some types of certificates. If the DNS does not contain any CAA entry or does contain the entry "swisssign.com", the certificate can be issued. If another entry is registered, which does not contain "swisssign.com", difficulties may arise during the exhibition. Contact us in this case.
We will soon provide more convenient hints on how a CAA entry can be implemented.