On Wed, Aug 14, 2024 at 07:13:57PM -0400, Phillip Hallam-Baker wrote: > The certificate entries were removed when the draft moved into PKIX > becoming CAA so as not to conflict with DANE. But the DANE group did not > take note of the differences between the drafts and insisted on an approach > that the Chrome group had rejected. > > I am not sure if I can fully remember the subtleties of the issues and > which were mine and which were the Chrome teams. But the big issue for > Chrome was always speed of resolution because THEIR ANNUAL BONUSES DEPENDED > ON IT. So the CAA scheme was very carefully constructed so that it would > not increase the resolution time. Another major difference is that DANE is > certificate publication where CAA was certificate authentication. Finally, > CAA does not require DNSSEC while DANE joined itself to at the hip. You're comparing apples and oranges, the audience for CAA is a candidate issuer CA, not the relying party as with TLSA. CAA is not relevant during TLS connection setup. So sure, CAA does not impact resolution time because browsers simply never use it. -- Viktor.