One day after the CAA (Certificate Authority Authorization) standard became obligatory on September 8, a German security researcher caught Comodo breaking the rules and issuing an SSL certificate it was not supposed to issue.
CAA allows website owners to specify what Certificate Authorities (CAs) are allowed to issue certificates in their name. Site owners can set up a CAA rule for their domain by adding a text field in DNS entries such as the one below:
bleepingcomputer.com. CAA 0 issue "symantec.com"
This small rule tells any Certificate Authority that only Symantec can issue SSL certificates for the BleepingComputer.com domain.
According to the rules of the CAA standard approved by the CA/Browser Forum in Ballot 187, this April, Certificate Authorities such as Comodo have to check a CAA field in DNS records before issuing new SSL certificates.
On Monday, German security researcher Hanno Böck shared with the infosec community that he managed to obtain an SSL certificate from Comodo — now revoked — for his own website, even if the CAA field limited SSL issuance only to Let's Encrypt.
Böck says he obtained the certificate on Saturday, a day after CAA checks become mandatory on Friday, September 8.
"I was originally informed about the lack of CAA checking at Comodo by Michael Kliewe from the mail provider mail.de," Böck wrote in a mailing list. "However that was before CAA became mandatory."
"I have by now heard from multiple other people that confirmed the same," the expert added. "Seems right now Comodo isn't checking CAA at all."
According to a web page on the official Comodo website, the company boasts about being CAA compliant.
Comodo did not respond to a request for comment from Bleeping Computer in time for this article's publication.