{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,19]],"date-time":"2026-05-19T12:37:35Z","timestamp":1779194255420,"version":"3.51.4"},"reference-count":84,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2018,5,1]],"date-time":"2018-05-01T00:00:00Z","timestamp":1525132800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGCOMM Comput. Commun. Rev."],"published-print":{"date-parts":[[2018,5]]},"abstract":"<jats:p>Shaken by severe compromises, the Web\u2019s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA\/B forum mandates that CAs validate CAA records as of September 8, 2017. The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable customers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates. We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.<\/jats:p>","DOI":"10.1145\/3213232.3213235","type":"journal-article","created":{"date-parts":[[2018,5,2]],"date-time":"2018-05-02T12:21:37Z","timestamp":1525263697000},"page":"10-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":33,"title":["A First Look at Certification Authority Authorization (CAA)"],"prefix":"10.1145","volume":"48","author":[{"given":"Quirin","family":"Scheitle","sequence":"first","affiliation":[{"name":"Technical University of Munich (TUM)"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Taejoong","family":"Chung","sequence":"additional","affiliation":[{"name":"Northeastern University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jens","family":"Hiller","sequence":"additional","affiliation":[{"name":"RWTH Aachen"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Oliver","family":"Gasser","sequence":"additional","affiliation":[{"name":"Technical University of Munich (TUM)"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Johannes","family":"Naab","sequence":"additional","affiliation":[{"name":"Technical University of Munich (TUM)"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Roland","family":"van Rijswijk-Deij","sequence":"additional","affiliation":[{"name":"University of Twente \/ SURFnet"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Oliver","family":"Hohlfeld","sequence":"additional","affiliation":[{"name":"RWTH Aachen"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ralph","family":"Holz","sequence":"additional","affiliation":[{"name":"The University of Sydney"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dave","family":"Choffnes","sequence":"additional","affiliation":[{"name":"Northeastern University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alan","family":"Mislove","sequence":"additional","affiliation":[{"name":"Northeastern University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Georg","family":"Carle","sequence":"additional","affiliation":[{"name":"Technical University of Munich (TUM)"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,5]]},"reference":[{"key":"e_1_2_1_1_2","volume-title":"Jan. 18","author":"Result ACM.","year":"2017","unstructured":"ACM. Result and Artifact Review and Badging. http:\/\/acm.org\/publications\/policies\/artifact-review-badging , Jan. 18 2017 . ACM. Result and Artifact Review and Badging. http:\/\/acm.org\/publications\/policies\/artifact-review-badging, Jan. 18 2017."},{"key":"e_1_2_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131401"},{"key":"e_1_2_1_3_2","volume-title":"TR-12-014","author":"Amann J.","year":"2012","unstructured":"J. Amann , M. Vallentin , S. Hall , and R. Sommer . Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service . In TR-12-014 , 2012 . J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. In TR-12-014, 2012."},{"key":"e_1_2_1_4_2","volume-title":"Sep. 12","author":"Ayer Andrew","year":"2017","unstructured":"Andrew Ayer . CAA Test Suite. https:\/\/caatestsuite.com\/ , Sep. 12 , 2017 . Andrew Ayer. CAA Test Suite. https:\/\/caatestsuite.com\/, Sep. 12, 2017."},{"key":"e_1_2_1_5_2","unstructured":"H. Birge-Lee Y. Sun A. Edmundson J. Rexford and P. Mittal. Using BGP to Acquire Bogus TLS Certificates. HotPETS'17.  H. Birge-Lee Y. Sun A. Edmundson J. Rexford and P. Mittal. Using BGP to Acquire Bogus TLS Certificates. HotPETS'17 ."},{"key":"e_1_2_1_6_2","volume-title":"Jan. 3","year":"2018","unstructured":"Bugzilla. Comodo CAA Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420873 , Jan. 3 , 2018 . Bugzilla. Comodo CAA Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420873, Jan. 3, 2018."},{"key":"e_1_2_1_7_2","volume-title":"Oct- 23","author":"Mis-Issuance Comodo","year":"2017","unstructured":"Bugzilla. SSL.com\/ Comodo Mis-Issuance . https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1410834 , Oct- 23 , 2017 . Bugzilla. SSL.com\/Comodo Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1410834, Oct- 23, 2017."},{"key":"e_1_2_1_8_2","volume-title":"Oct. 18","year":"2017","unstructured":"Bugzilla. Camerfirma CAA Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420871 , Oct. 18 , 2017 . Bugzilla. Camerfirma CAA Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420871, Oct. 18, 2017."},{"key":"e_1_2_1_9_2","volume-title":"Oct. 18","year":"2017","unstructured":"Bugzilla. Certum CNAME Flag Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1409766 , Oct. 18 , 2017 . Bugzilla. Certum CNAME Flag Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1409766, Oct. 18, 2017."},{"key":"e_1_2_1_10_2","volume-title":"Oct. 18","year":"2017","unstructured":"Bugzilla. Certum Critical Flag Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1409764 , Oct. 18 , 2017 . Bugzilla. Certum Critical Flag Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1409764, Oct. 18, 2017."},{"key":"e_1_2_1_11_2","volume-title":"Oct. 18","year":"2017","unstructured":"Bugzilla. StartCom CNAME Flag Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1409760 , Oct. 18 , 2017 . Bugzilla. StartCom CNAME Flag Mis-Issuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1409760, Oct. 18, 2017."},{"key":"e_1_2_1_12_2","volume-title":"Sep. 12","year":"2017","unstructured":"Bugzilla. Comodo: CAA Misissuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1398545 , Sep. 12 , 2017 . Bugzilla. Comodo: CAA Misissuance. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1398545, Sep. 12, 2017."},{"key":"e_1_2_1_13_2","volume-title":"CABF Meeting Minutes. https:\/\/cabforum.org\/pipermail\/public\/2013-January\/001125","year":"2013","unstructured":"CA\/BrowserForum. CABF Meeting Minutes. https:\/\/cabforum.org\/pipermail\/public\/2013-January\/001125 .html, Jan. 10, 2013 . CA\/BrowserForum. CABF Meeting Minutes. https:\/\/cabforum.org\/pipermail\/public\/2013-January\/001125.html, Jan. 10, 2013."},{"key":"e_1_2_1_14_2","volume-title":"Nov. 10","author":"Ballot","year":"2017","unstructured":"CA\/BrowserForum. Ballot 214. https:\/\/cabforum.org\/2017\/09\/27\/ballot-214-caa-discovery-cname-errata\/ , Nov. 10 , 2017 . CA\/BrowserForum. Ballot 214. https:\/\/cabforum.org\/2017\/09\/27\/ballot-214-caa-discovery-cname-errata\/, Nov. 10, 2017."},{"key":"e_1_2_1_15_2","volume-title":"Oct. 14","author":"Ballot","year":"2014","unstructured":"CA\/BrowserForum. Ballot 125. https:\/\/cabforum.org\/2014\/10\/14\/ballot-125-caa-records\/ , Oct. 14 , 2014 . CA\/BrowserForum. Ballot 125. https:\/\/cabforum.org\/2014\/10\/14\/ballot-125-caa-records\/, Oct. 14, 2014."},{"key":"e_1_2_1_16_2","volume-title":"Oct. 4","year":"2017","unstructured":"CA\/BrowserForum. Baseline Requirements v1.5.4 , Oct. 4 , 2017 . CA\/BrowserForum. Baseline Requirements v1.5.4, Oct. 4, 2017."},{"key":"e_1_2_1_17_2","volume-title":"Sep. 20","year":"2017","unstructured":"CA\/BrowserForum. Baseline Requirements v1.5.2 , Sep. 20 , 2017 . CA\/BrowserForum. Baseline Requirements v1.5.2, Sep. 20, 2017."},{"key":"e_1_2_1_18_2","volume-title":"Sep. 7","author":"Ballot","year":"2017","unstructured":"CA\/BrowserForum. Ballot 187. https:\/\/cabforum.org\/2017\/03\/08\/ballot-187-make-caa-checking-mandatory\/ , Sep. 7 , 2017 . CA\/BrowserForum. Ballot 187. https:\/\/cabforum.org\/2017\/03\/08\/ballot-187-make-caa-checking-mandatory\/, Sep. 7, 2017."},{"key":"e_1_2_1_19_2","volume-title":"Sep. 7","author":"Ballot","year":"2017","unstructured":"CA\/BrowserForum. Ballot 195. https:\/\/cabforum.org\/2017\/04\/17\/ballot-195-caa-fixup\/ , Sep. 7 , 2017 . CA\/BrowserForum. Ballot 195. https:\/\/cabforum.org\/2017\/04\/17\/ballot-195-caa-fixup\/, Sep. 7, 2017."},{"key":"e_1_2_1_20_2","volume-title":"Feb. 1","author":"Security Cali Dog","year":"2018","unstructured":"Cali Dog Security . Certsteam. https:\/\/certstream.calidog.io\/ , Feb. 1 , 2018 . Cali Dog Security. Certsteam. https:\/\/certstream.calidog.io\/, Feb. 1, 2018."},{"key":"e_1_2_1_21_2","volume-title":"Jan. 25","author":"Team Chrome","year":"2010","unstructured":"Chrome Team . Chrome v4.0.249.78 Release Notes. https:\/\/chromereleases.googleblog.com\/2010\/01\/stable-channel-update_25.html , Jan. 25 , 2010 . Chrome Team. Chrome v4.0.249.78 Release Notes. https:\/\/chromereleases.googleblog.com\/2010\/01\/stable-channel-update_25.html, Jan. 25, 2010."},{"key":"e_1_2_1_22_2","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987454"},{"key":"e_1_2_1_23_2","volume-title":"End-to-End View of the DNSSEC Ecosystem. In USENIX SEC'17","author":"Chung T.","unstructured":"T. Chung , R. van Rijswijk-Deij , B. Chandrasekaran , D. R. Choffnes , D. Levin , B. M. Maggs , A. Mislove , and C. Wilson . A Longitudinal , End-to-End View of the DNSSEC Ecosystem. In USENIX SEC'17 . T. Chung, R. van Rijswijk-Deij, B. Chandrasekaran, D. R. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In USENIX SEC'17."},{"key":"e_1_2_1_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131373"},{"key":"e_1_2_1_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.41"},{"key":"e_1_2_1_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455798"},{"key":"e_1_2_1_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131391"},{"key":"e_1_2_1_28_2","volume-title":"US Department of Homeland Security","author":"Dittrich D.","year":"2012","unstructured":"D. Dittrich and E. Kenneally . The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research . US Department of Homeland Security , 2012 . D. Dittrich and E. Kenneally. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US Department of Homeland Security, 2012."},{"key":"e_1_2_1_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813703"},{"key":"e_1_2_1_30_2","volume-title":"ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX SEC'13","author":"Durumeric Z.","unstructured":"Z. Durumeric , E. Wustrow , and J. A. Halderman . ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX SEC'13 . Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX SEC'13."},{"key":"e_1_2_1_31_2","volume-title":"Sep 15","author":"Blog Entrust","year":"2017","unstructured":"Entrust Blog . What Happened with live.fi. https:\/\/www.entrustdatacard.com\/blog\/2015\/march\/what-happened-with-livefi , Sep 15 , 2017 . Entrust Blog. What Happened with live.fi. https:\/\/www.entrustdatacard.com\/blog\/2015\/march\/what-happened-with-livefi, Sep 15, 2017."},{"key":"e_1_2_1_32_2","volume-title":"TMA'16","author":"Gasser O.","unstructured":"O. Gasser , Q. Scheitle , S. Gebhard , and G. Carle . Scanning the IPv6 Internet: Towards a Comprehensive Hitlist . In TMA'16 . O. Gasser, Q. Scheitle, S. Gebhard, and G. Carle. Scanning the IPv6 Internet: Towards a Comprehensive Hitlist. In TMA'16."},{"key":"e_1_2_1_33_2","volume-title":"Feb.","year":"2018","unstructured":"Google. Certificate Transparency Enforcement in Google Chrome. https:\/\/groups.google.com\/a\/chromium.org\/d\/msg\/ct-policy\/wHILiYf31DE\/iMFmpMEkAQAJ , Feb. 2018 . Google. Certificate Transparency Enforcement in Google Chrome. https:\/\/groups.google.com\/a\/chromium.org\/d\/msg\/ct-policy\/wHILiYf31DE\/iMFmpMEkAQAJ, Feb. 2018."},{"key":"e_1_2_1_34_2","volume-title":"Feb. 07","author":"Chrome Google","year":"2018","unstructured":"Google Chrome . Extended Validation in Google Chrome. https:\/\/www.certificate-transparency.org\/ev-ct-plan , Feb. 07 , 2018 . Google Chrome. Extended Validation in Google Chrome. https:\/\/www.certificate-transparency.org\/ev-ct-plan, Feb. 07, 2018."},{"key":"e_1_2_1_35_2","volume-title":"Sustaining Digital Certificate Security. https:\/\/security.googleblog.com\/2015\/10\/sustaining-digital-certificate-security.html","author":"Blog Google Security","year":"2015","unstructured":"Google Security Blog . Sustaining Digital Certificate Security. https:\/\/security.googleblog.com\/2015\/10\/sustaining-digital-certificate-security.html , 2015 . Google Security Blog. Sustaining Digital Certificate Security. https:\/\/security.googleblog.com\/2015\/10\/sustaining-digital-certificate-security.html, 2015."},{"key":"e_1_2_1_36_2","volume-title":"January","author":"Hallam-Baker P.","year":"2013","unstructured":"P. Hallam-Baker and R. Stradling . RFC6844 \u2013 DNS Certification Authority Authorization (CAA) Resource Record , January , 2013 . P. Hallam-Baker and R. Stradling. RFC6844 \u2013 DNS Certification Authority Authorization (CAA) Resource Record, January, 2013."},{"key":"e_1_2_1_37_2","volume-title":"Oct.","author":"Hallam-Baker P.","year":"2010","unstructured":"P. Hallam-Baker , R. Stradling , and B. Laurie . DNS Certification Authority Authorization (CAA) Resource Record. https:\/\/datatracker.ietf.org\/doc\/draft-hallambaker-donotissue\/ , Oct. 2010 . P. Hallam-Baker, R. Stradling, and B. Laurie. DNS Certification Authority Authorization (CAA) Resource Record. https:\/\/datatracker.ietf.org\/doc\/draft-hallambaker-donotissue\/, Oct. 2010."},{"key":"e_1_2_1_38_2","volume-title":"Dec.","author":"Hoffman P.","year":"2015","unstructured":"P. Hoffman , A. Sullivan , and K. Fujiwara . DNS Terminology. RFC 7719 (Informational) , Dec. 2015 . P. Hoffman, A. Sullivan, and K. Fujiwara. DNS Terminology. RFC 7719 (Informational), Dec. 2015."},{"key":"e_1_2_1_39_2","volume-title":"TLS and PKI History. https:\/\/www.feistyduck.com\/ssl-tls-and-pki-history\/","author":"Ristic Ivan","year":"2017","unstructured":"Ivan Ristic . TLS and PKI History. https:\/\/www.feistyduck.com\/ssl-tls-and-pki-history\/ , 2017 . Ivan Ristic. TLS and PKI History. https:\/\/www.feistyduck.com\/ssl-tls-and-pki-history\/, 2017."},{"key":"e_1_2_1_40_2","volume-title":"Turkish Registrar Enabled Phishers to Spoof Google. https:\/\/krebsonsecurity.com\/2013\/01\/turkish-registrar-enabled-phishers-to-spoof-google\/","author":"Krebs B.","year":"2013","unstructured":"B. Krebs . Turkish Registrar Enabled Phishers to Spoof Google. https:\/\/krebsonsecurity.com\/2013\/01\/turkish-registrar-enabled-phishers-to-spoof-google\/ , 2013 . B. Krebs. Turkish Registrar Enabled Phishers to Spoof Google. https:\/\/krebsonsecurity.com\/2013\/01\/turkish-registrar-enabled-phishers-to-spoof-google\/, 2013."},{"key":"e_1_2_1_41_2","volume-title":"Tracking Certificate Misissuance in the Wild","author":"Kumar D.","unstructured":"D. Kumar , M. Bailey , Z. Wang , M. Hyder , J. Dickinson , G. Beck , D. Adrian , J. Mason , Z. Durumeric , and J. A. Halderman . Tracking Certificate Misissuance in the Wild . In IEEE S &P'18. D. Kumar, M. Bailey, Z. Wang, M. Hyder, J. Dickinson, G. Beck, D. Adrian, J. Mason, Z. Durumeric, and J. A. Halderman. Tracking Certificate Misissuance in the Wild. In IEEE S&P'18."},{"key":"e_1_2_1_42_2","volume-title":"NOMS'18","author":"Le T. N.","unstructured":"T. N. Le , R. van Rijswijk-Deij , L. Allodi , and N. Zannone . Economic Incentives on DNSSEC Deployment: Time to Move from Quantity to Quality . In NOMS'18 . T. N. Le, R. van Rijswijk-Deij, L. Allodi, and N. Zannone. Economic Incentives on DNSSEC Deployment: Time to Move from Quantity to Quality. In NOMS'18."},{"key":"e_1_2_1_43_2","volume-title":"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=477783#c19","author":"Markham G.","year":"2009","unstructured":"G. Markham . Equifax not conforming to Mozilla CA Certificate Policy . https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=477783#c19 , 2009 . G. Markham. Equifax not conforming to Mozilla CA Certificate Policy. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=477783#c19, 2009."},{"key":"e_1_2_1_44_2","volume-title":"Mar. 22","year":"2011","unstructured":"Mozilla. Firefox v4 Release Notes. https:\/\/www.certificate-transparency.org\/ev-ct-plan , Mar. 22 , 2011 . Mozilla. Firefox v4 Release Notes. https:\/\/www.certificate-transparency.org\/ev-ct-plan, Mar. 22, 2011."},{"key":"e_1_2_1_45_2","volume-title":"Oct. 28","year":"2017","unstructured":"Mozilla. Public Suffix List: commit 85fa8fb. https:\/\/github.com\/publicsuffix\/list\/commit\/85fa8fbdf , Oct. 28 , 2017 . Mozilla. Public Suffix List: commit 85fa8fb. https:\/\/github.com\/publicsuffix\/list\/commit\/85fa8fbdf, Oct. 28, 2017."},{"key":"e_1_2_1_46_2","volume-title":"Mozilla","author":"Mozilla","year":"2018","unstructured":"Mozilla NSS. Mozilla January 2018 CA Communication . https:\/\/ccadb-public.secure.force.com\/mozillacommunications\/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00056,Q00057, Feb. 08, 2018. Mozilla NSS. Mozilla January 2018 CA Communication. https:\/\/ccadb-public.secure.force.com\/mozillacommunications\/CACommResponsesOnlyReport?CommunicationId=a051J00003mqMFN&QuestionId=Q00056,Q00057, Feb. 08, 2018."},{"key":"e_1_2_1_47_2","volume-title":"https:\/\/groups.google.com\/d\/topic\/mozilla.dev.security.policy\/QpSVjzrj7T4","author":"Policy Mozilla Security","year":"2017","unstructured":"Mozilla Security Policy . CAA Anomalies . https:\/\/groups.google.com\/d\/topic\/mozilla.dev.security.policy\/QpSVjzrj7T4 , 2017 . Mozilla Security Policy. CAA Anomalies. https:\/\/groups.google.com\/d\/topic\/mozilla.dev.security.policy\/QpSVjzrj7T4, 2017."},{"key":"e_1_2_1_48_2","volume-title":"https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/fyJ3EK2YOP8","author":"Policy Mozilla Security","year":"2017","unstructured":"Mozilla Security Policy . Misissued\/ Suspicious Symantec Certificates . https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/fyJ3EK2YOP8 , 2017 . Mozilla Security Policy. Misissued\/Suspicious Symantec Certificates. https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/fyJ3EK2YOP8, 2017."},{"key":"e_1_2_1_49_2","volume-title":"ROCA certificate in CT. https:\/\/groups.google.com\/forum\/#!msg\/mozilla.dev.security.policy\/4RqKdD0FeF4\/s5mV8NiqAAAJ","author":"Policy Mozilla Security","year":"2017","unstructured":"Mozilla Security Policy . ROCA certificate in CT. https:\/\/groups.google.com\/forum\/#!msg\/mozilla.dev.security.policy\/4RqKdD0FeF4\/s5mV8NiqAAAJ , 2017 . Mozilla Security Policy. ROCA certificate in CT. https:\/\/groups.google.com\/forum\/#!msg\/mozilla.dev.security.policy\/4RqKdD0FeF4\/s5mV8NiqAAAJ, 2017."},{"key":"e_1_2_1_50_2","volume-title":"https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/4kj8Jeem0EU","author":"Policy Mozilla Security","year":"2017","unstructured":"Mozilla Security Policy . .tg certificates. https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/4kj8Jeem0EU , 2017 . Mozilla Security Policy. .tg certificates. https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/4kj8Jeem0EU, 2017."},{"key":"e_1_2_1_51_2","volume-title":"Jan. 10","author":"Policy Mozilla Security","year":"2018","unstructured":"Mozilla Security Policy . Feedback to CAA Study. https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/mqNk9udMwvE , Jan. 10 , 2018 . Mozilla Security Policy. Feedback to CAA Study. https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/mqNk9udMwvE, Jan. 10, 2018."},{"key":"e_1_2_1_52_2","unstructured":"E. Nigg. Unbelievable! https:\/\/groups.google.com\/d\/msg\/mozilla.dev.tech.crypto\/nAzIKSBEh78\/7GEZ4f57F-cJ Dec. 22 2008.  E. Nigg. Unbelievable! https:\/\/groups.google.com\/d\/msg\/mozilla.dev.tech.crypto\/nAzIKSBEh78\/7GEZ4f57F-cJ Dec. 22 2008."},{"key":"e_1_2_1_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/2896816"},{"key":"e_1_2_1_54_2","volume-title":"Mar. 31","author":"Hoffman Paul","year":"2011","unstructured":"Paul Hoffman . IETF 80 SAAG Minutes. https:\/\/www.ietf.org\/proceedings\/80\/minutes\/saag.txt , Mar. 31 , 2011 . Paul Hoffman. IETF 80 SAAG Minutes. https:\/\/www.ietf.org\/proceedings\/80\/minutes\/saag.txt, Mar. 31, 2011."},{"key":"e_1_2_1_55_2","volume-title":"Feb. 20","author":"Industry Payment Card","year":"2018","unstructured":"Payment Card Industry . Data Security Standard. https:\/\/www.pcisecuritystandards.org , Feb. 20 , 2018 . Payment Card Industry. Data Security Standard. https:\/\/www.pcisecuritystandards.org, Feb. 20, 2018."},{"key":"e_1_2_1_56_2","volume-title":"Sep. 5","author":"Prins R.","year":"2012","unstructured":"R. Prins . DigiNotar Certificate Authority Breach \u201cOperation Black Tulip\u201d. https:\/\/www.rijksoverheid.nl\/binaries\/rijksoverheid\/documenten\/rapporten\/2011\/09\/05\/diginotar-public-report-version-1\/rapport-fox-it-operation-black-tulip-v1-0.pdf , Sep. 5 , 2012 . R. Prins. DigiNotar Certificate Authority Breach \u201cOperation Black Tulip\u201d. https:\/\/www.rijksoverheid.nl\/binaries\/rijksoverheid\/documenten\/rapporten\/2011\/09\/05\/diginotar-public-report-version-1\/rapport-fox-it-operation-black-tulip-v1-0.pdf, Sep. 5, 2012."},{"key":"e_1_2_1_57_2","volume-title":"CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420766","author":"Scheitle Q.","year":"2017","unstructured":"Q. Scheitle . AlphaSSL\/Globalsign : CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420766 , 2017 . Q. Scheitle. AlphaSSL\/Globalsign: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420766, 2017."},{"key":"e_1_2_1_58_2","volume-title":"Potential Mis-Issuance based on CAA records (Sep 28","author":"Q. Scheitle. Comodo\/cPanel","year":"2017","unstructured":"Q. Scheitle. Comodo\/cPanel : Potential Mis-Issuance based on CAA records (Sep 28 , 2017 ). https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420873, 2017. Q. Scheitle. Comodo\/cPanel: Potential Mis-Issuance based on CAA records (Sep 28, 2017). https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420873, 2017."},{"key":"e_1_2_1_59_2","volume-title":"CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420861","author":"Scheitle Q.","year":"2017","unstructured":"Q. Scheitle . DigiCert\/Thawte : CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420861 , 2017 . Q. Scheitle. DigiCert\/Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1420861, 2017."},{"key":"e_1_2_1_60_2","volume-title":"HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks. In TMA'17","author":"Scheitle Q.","unstructured":"Q. Scheitle , O. Gasser , P. Sattler , and G. Carle . HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks. In TMA'17 . Q. Scheitle, O. Gasser, P. Sattler, and G. Carle. HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks. In TMA'17."},{"key":"e_1_2_1_61_2","volume-title":"PAM'16","author":"Scheitle Q.","unstructured":"Q. Scheitle , M. Wachs , J. Zirngibl , and G. Carle . Analyzing Locality of Mobile Messaging Traffic using the MATAdOR Framework . In PAM'16 , Heraklion, Greece. Q. Scheitle, M. Wachs, J. Zirngibl, and G. Carle. Analyzing Locality of Mobile Messaging Traffic using the MATAdOR Framework. In PAM'16, Heraklion, Greece."},{"key":"e_1_2_1_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/3097766.3097768"},{"key":"e_1_2_1_63_2","volume-title":"Dec. 15","author":"Helme Scott","year":"2017","unstructured":"Scott Helme . Tracking CAA Usage. https:\/\/scotthelme.co.uk\/tracking-caa-usage\/ , Dec. 15 , 2017 . Scott Helme. Tracking CAA Usage. https:\/\/scotthelme.co.uk\/tracking-caa-usage\/, Dec. 15, 2017."},{"key":"e_1_2_1_64_2","volume-title":"May","author":"Seifried K.","year":"2010","unstructured":"K. Seifried . Breach of trust. http:\/\/www.linux-magazine.com\/Issues\/2010\/114\/Security-Lessons-Spoofed-Browsers , May , 2010 . K. Seifried. Breach of trust. http:\/\/www.linux-magazine.com\/Issues\/2010\/114\/Security-Lessons-Spoofed-Browsers, May, 2010."},{"key":"e_1_2_1_65_2","volume-title":"Oct. 28","author":"Sleevi R.","year":"2015","unstructured":"R. Sleevi . Sustaining Digital Certificate Security . Google blog post: https:\/\/googleonlinesecuritys.blogspot.com\/2015\/12\/sustaining-digital-certificate-security.html , Oct. 28 , 2015 . R. Sleevi. Sustaining Digital Certificate Security. Google blog post: https:\/\/googleonlinesecuritys.blogspot.com\/2015\/12\/sustaining-digital-certificate-security.html, Oct. 28, 2015."},{"key":"e_1_2_1_66_2","volume-title":"Sep. 12","author":"Generator CAA","year":"2017","unstructured":"SSLMate. CAA Generator . https:\/\/sslmate.com\/caa\/ , Sep. 12 , 2017 . SSLMate. CAA Generator. https:\/\/sslmate.com\/caa\/, Sep. 12, 2017."},{"key":"e_1_2_1_67_2","volume-title":"Feb. 26","author":"Stark E.","year":"2018","unstructured":"E. Stark . Expect- CT Extension for HTTP. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-httpbis-expect-ct , Feb. 26 , 2018 . E. Stark. Expect-CT Extension for HTTP. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-httpbis-expect-ct, Feb. 26, 2018."},{"key":"e_1_2_1_68_2","volume-title":"Short Paper: On Deployment of DNS-based Security Enhancements","author":"Szalachowski P.","year":"2017","unstructured":"P. Szalachowski and A. Perrig . Short Paper: On Deployment of DNS-based Security Enhancements . 2017 . P. Szalachowski and A. Perrig. Short Paper: On Deployment of DNS-based Security Enhancements. 2017."},{"key":"e_1_2_1_69_2","volume-title":"How I got a valid SSL certificate for my ISP's main domain, xs4all.nl. https:\/\/raymii.org\/s\/blog\/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html","author":"van Enst R.","year":"2017","unstructured":"R. van Enst . How I got a valid SSL certificate for my ISP's main domain, xs4all.nl. https:\/\/raymii.org\/s\/blog\/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html , 2017 . R. van Enst. How I got a valid SSL certificate for my ISP's main domain, xs4all.nl. https:\/\/raymii.org\/s\/blog\/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html, 2017."},{"key":"e_1_2_1_70_2","volume-title":"Scalable Infrastructure for Large-Scale Active DNS Measurements","author":"van Rijswijk-Deij R.","year":"2016","unstructured":"R. van Rijswijk-Deij , M. Jonker , A. Sperotto , and A. Pras . A High-Performance , Scalable Infrastructure for Large-Scale Active DNS Measurements . IEEE JSAC , 2016 . R. van Rijswijk-Deij, M. Jonker, A. Sperotto, and A. Pras. A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements. IEEE JSAC, 2016."},{"key":"e_1_2_1_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987462"},{"key":"e_1_2_1_72_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133988"},{"key":"e_1_2_1_73_2","volume-title":"Sep. 14","year":"2017","unstructured":"W3Techs. Historical trends in the usage of SSL certificate authorities for websites. https:\/\/w3techs.com\/technologies\/history_overview\/ssl_certificate\/all , Sep. 14 , 2017 . W3Techs. Historical trends in the usage of SSL certificate authorities for websites. https:\/\/w3techs.com\/technologies\/history_overview\/ssl_certificate\/all, Sep. 14, 2017."},{"key":"e_1_2_1_74_2","volume-title":"Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication. In TMA'17","author":"Wachs M.","unstructured":"M. Wachs , Q. Scheitle , and G. Carle . Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication. In TMA'17 , Dublin, Ireland. M. Wachs, Q. Scheitle, and G. Carle. Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication. In TMA'17, Dublin, Ireland."},{"key":"e_1_2_1_75_2","volume-title":"March","author":"Thayer Wayne","year":"2018","unstructured":"Wayne Thayer . AC Camerfirma Chambers of Commerce and Global Chambersign 2016 Root Inclusion Request. https:\/\/groups.google.com\/d\/msg\/mozilla.dev.security.policy\/skev4gp_bY4\/snIuP2JLAgAJ , March , 2018 . Wayne Thayer. AC Camerfirma Chambers of Commerce and Global Chambersign 2016 Root Inclusion Request. https:\/\/groups.google.com\/d\/msg\/mozilla.dev.security.policy\/skev4gp_bY4\/snIuP2JLAgAJ, March, 2018."},{"key":"e_1_2_1_76_2","volume-title":"July 20","author":"Whalley A.","year":"2017","unstructured":"A. Whalley and D. O'Brien . Google Security Blog: https:\/\/security.googleblog.com\/2017\/07\/final-removal-of-trust-in-wosign-and.html , July 20 , 2017 . A. Whalley and D. O'Brien. Google Security Blog: https:\/\/security.googleblog.com\/2017\/07\/final-removal-of-trust-in-wosign-and.html, July 20, 2017."},{"key":"e_1_2_1_77_2","volume-title":"Sep. 12","author":"SSL.","year":"2017","unstructured":"Which SSL. Top 10 SSL Certificate Providers. https:\/\/www.whichssl.com\/top-10-ssl-certificate-providers.php , Sep. 12 , 2017 . WhichSSL. Top 10 SSL Certificate Providers. https:\/\/www.whichssl.com\/top-10-ssl-certificate-providers.php, Sep. 12, 2017."},{"key":"e_1_2_1_78_2","volume-title":"April 28","author":"Wilson K.","year":"2011","unstructured":"K. Wilson . Bug 653543\u2014comodo subca. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=653543 , April 28 , 2011 . K. Wilson. Bug 653543\u2014comodo subca. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=653543, April 28, 2011."},{"key":"e_1_2_1_79_2","volume-title":"Dec. 9","author":"Wilson K.","year":"2013","unstructured":"K. Wilson . Revoking Trust in one ANSSI Certificate. https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/ , Dec. 9 , 2013 . K. Wilson. Revoking Trust in one ANSSI Certificate. https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/, Dec. 9, 2013."},{"key":"e_1_2_1_80_2","volume-title":"June","author":"Wilson K.","year":"2016","unstructured":"K. Wilson . alicdn.com Misissuance. https:\/\/wiki.mozilla.org\/CA:WoSign_Issues , June 2016 . K. Wilson. alicdn.com Misissuance. https:\/\/wiki.mozilla.org\/CA:WoSign_Issues, June 2016."},{"key":"e_1_2_1_81_2","first-page":"2015","article-title":"\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/","volume":"23","author":"Wilson K.","year":"2015","unstructured":"K. Wilson . Revoking Trust in one CNNIC Intermediate Certificate . https:\/\/blog.mozilla.org\/security\/ 2015 \/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/ , Mar. 23 , 2015 . K. Wilson. Revoking Trust in one CNNIC Intermediate Certificate. https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/, Mar. 23, 2015.","journal-title":"Mar."},{"key":"e_1_2_1_82_2","volume-title":"Oct. 24","author":"Wilson K.","year":"2016","unstructured":"K. Wilson . Mozilla blog post : https:\/\/blog.mozilla.org\/security\/2016\/10\/24\/distrusting-new-wosign-and-startcom-certificates\/ , Oct. 24 , 2016 . K. Wilson. Mozilla blog post: https:\/\/blog.mozilla.org\/security\/2016\/10\/24\/distrusting-new-wosign-and-startcom-certificates\/, Oct. 24, 2016."},{"key":"e_1_2_1_83_2","unstructured":"T. Zimmermann J. R\u00fcth B. Wolters and O. Hohlfeld. How HTTP\/2 Pushes the Web: An Empirical Study of HTTP\/2 Server Push. In IFIP Networking'17.  T. Zimmermann J. R\u00fcth B. Wolters and O. Hohlfeld. How HTTP\/2 Pushes the Web: An Empirical Study of HTTP\/2 Server Push. In IFIP Networking'17 ."},{"key":"e_1_2_1_84_2","unstructured":"M. Zusman. Domain validated SSL certificates. http:\/\/schmoil.blogspot.de\/2008\/08\/domain-validated-ssl-certificates.html Aug. 25 2008.  M. Zusman. Domain validated SSL certificates. http:\/\/schmoil.blogspot.de\/2008\/08\/domain-validated-ssl-certificates.html Aug. 25 2008."}],"container-title":["ACM SIGCOMM Computer Communication Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3213232.3213235","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3213232.3213235","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:08:12Z","timestamp":1750212492000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3213232.3213235"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,5]]},"references-count":84,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2018,5]]}},"alternative-id":["10.1145\/3213232.3213235"],"URL":"https:\/\/doi.org\/10.1145\/3213232.3213235","relation":{},"ISSN":["0146-4833"],"issn-type":[{"value":"0146-4833","type":"print"}],"subject":[],"published":{"date-parts":[[2018,5]]},"assertion":[{"value":"2018-05-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}