Where should CAA issuer IDs be obtained from and how should they be validated?

domain-name-system certificate-authority caa-record

Solution 1:

The relevant RFC 6844 doesn't mandate any standard for the issuer, actually the opposite, it grants almost complete freedom:

The semantics of issuer-parameters are determined by the issuer alone.

But to take a step back: CAA records were not intended, as far as I know, to be used by end-users to validate if the TLS certificate they get presented with is issued by the correct certificate issuer.

It was intended to only be used by a (reputable) certificate issuer to validate that they are allowed to issue a (new) certificate for that host/domain.

It is only the certificate issuer that needs to check if whatever they expect/require is present in the CAA record, if a CAA record exists.

Your certificate issuer, i.e. your CA, will need to communicate which domain(s) they recognise in the CAA issue records. And also which, if any, other parameters they require.

For example: Comodo, which uses comodo.com for its online brand, is completely free to recognise the completely different domain comodoca.com in CAA records. Actually CAs are also not restricted to only recognise a single domain - Comodo for instance recognises four different ones: comodo.com, comodoca.com, usertrust.com and trust-provider.com

Note: CAA records are only used when issuing a certificate. Reverse engineering what the CAA record should be from valid certificates that have already been issued serves no immediate purpose.

Where should CAA issuer IDs be obtained from?

As far as I know there is nothing that you can easily automate with regards to that, but for a manual approach: The CA/Browser forum requires a uniform location for that info to be published:

"Effective as of 8 September 2017, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement SHALL state the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names; that policy shall be consistent with these Requirements. It shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue."

Related

Can't restart httpd.service on CentOS 7 (Apache server)
Running virtual machine on separated disk from HyperV
Windows Storage Spaces, can I stripe across 3 disks and on top mirror to a 4th disk?
Disabling ext4 write barriers when using an external journal
Enabling sqlite3 in php7
Can I create a disk in memory for backups?
Why do my SSD read latency benchmarks get markedly worse when I put an XFS filesystem on top?
IP Address exhaustion for lambdas in VPC
Exposure of hidden-master stealth DNS server on public-facing authoritative slave
How to append free space from LVM volume?
Why is the pricing of my GCP instance going down every week and comes back up at the beginning of each month?
How to write a sparse Linux (EXT4) disk image without writing gigabytes of zeros?