[cabfpub] Pre-Ballot 125 - CAA Records

Rick Andrews Rick_Andrews at symantec.com
Thu Jul 17 21:51:51 UTC 2014


Siggy,

There are a number of Security Considerations in Section 6 of the CAA RFC (http://tools.ietf.org/html/rfc6844#page-13) which detail possible abuse.

Stephen,

Are you ok with Ben's proposed language that he proposed on June 27?

2.  Authorization for Certificate:  That, at the time of issuance, the CA (i) implemented a procedure for verifying that the Subject authorized the issuance of the Certificate and that the Applicant Representative is authorized to request the Certificate on behalf of the Subject; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA's Certificate Policy and/or Certification Practice Statement, which, effective as of [insert date that is six months from Ballot 125 adoption], SHALL set forth in Section 4.2 whether the CA reviews CAA records, and if so, the CA's policy on processing CAA records for all Domain Names in Common Names and all Subject Alternative Name fields to be included in a Certificate."

-Rick

-----Original Message-----
From: Sigbjørn Vik [mailto:sigbjorn at opera.com]
Sent: Wednesday, July 16, 2014 12:49 AM
To: Rick Andrews; Geoff Keating; Stephen Davidson
Cc: cabfpub
Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records

> *On Behalf Of *Geoff Keating
> In actual use there should be no problem since real queries (as
> opposed to those intended for DoS) will not ask for the CAA record and
> so won't get it.

When implementing this, we do need to bear in mind the potential for abuse as well.

--
Sigbjørn Vik
Opera Software

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140717/5fbb4123/attachment-0003.html>


More information about the Public mailing list