<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1265262758;
mso-list-type:hybrid;
mso-list-template-ids:601012156 -291732376 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>1. There is a significant difference between asking CAs to disclose their CAA practices and requiring CAs to test CAA (with audit trail) for every certificate issued. I read the alternative below as a MUST. If so, I suggest that six months is too short an implementation window, particularly given the major re-plumbing of issuance flows that CAs must undertake for Certificate Transparency. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>2. Currently the BR and the EVG allow different “aging” periods for the reuse of data in the validation of a certificate. If the intent is that CAA would be tested for every certificate request, that should be specifically noted in the respective aging sections of those documents (BR 11.3 and EVG 11.13).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>3. The rfc allows the domain owner to broadcast their preference for a CA. The “issue” tag uses the domain of the CA. I suspect in practice that may be less precise than intended given the proliferation of brands. For example, Google has a CAA record naming “symantec.com” when in fact their hierarchy is topped by a GeoTrust CA (a Symantec subsidiary with its own brand). In addition, other major CAs have cross signing agreements with other CAs – meaning that their hierarchy may be topped by someone else. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>4. Other tags in CAA are reserved: “path” allows you to post a digest for a specific CA root, and “policy” allows you to specify the OID of your chosen cert type. The tag “auth” does not appear to be defined. Are we saying that these too are to be adopted now?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Regards, Stephen<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Friday, June 27, 2014 1:14 PM<br><b>To:</b> 'Rick Andrews'; 'cabfpub'<br><b>Subject:</b> [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Rick,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Here are the alternative provisions for you to look at and choose from.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Ben<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=line867 style='margin-left:.5in'><strong>Pre-Ballot 125 - CAA Records</strong> <o:p></o:p></p><p class=line874 style='margin-left:.5in'>Rick Andrews of Symantec made the following motion and Jeremy Rowley of Digicert and Ryan Sleevi of Google have endorsed it: <o:p></o:p></p><p class=line867 style='margin-left:.5in'><strong>Reasons for proposed ballot</strong> RFC 6844 defines a Certification Authority Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name holder to specify the CAs authorized to issue certificates for that domain. Publication of the CAA allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issuance. <o:p></o:p></p><p class=line874 style='margin-left:.5in'>The proponents of this ballot believe that this proposed modification to the Baseline Requirements, which gives CAs up to six months to update their CP and/or CPS to state the degree to which they implement CAA, provides all CAs with the flexibility needed to begin implementation of CAA. <o:p></o:p></p><p class=line867 style='margin-left:.5in'><strong>---MOTION BEGINS---</strong> <o:p></o:p></p><p class=line867 style='margin-left:.5in'><strong>Add to Section 4 Definitions, new item:</strong> <o:p></o:p></p><p class=line867 style='margin-left:.5in'><strong>CAA:</strong> From RFC 6844 (<a href="http://tools.ietf.org/html/rfc6844">http:tools.ietf.org/html/rfc6844</a>): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.” <o:p></o:p></p><p class=line867 style='margin-left:.5in'><b>Amend subparagraph 2 of 7.1.2 to read as follows: <o:p></o:p></b></p><p class=line867 style='margin-left:.5in'> 2. Authorization for Certificate: That, at the time of issuance, the CA (i) implemented procedures for verifying that the Subject authorized the issuance of the Certificate, <u>including procedures to (a) consider the CAA record of each Domain Name to be listed in the Certificate’s subject field or subjectAltName extension,</u> and <u>(b) to establish</u> that the Applicant Representative is authorized to request the Certificate on behalf of the Subject; (ii) followed the procedures when issuing the Certificate; and (iii) accurately described the procedure<u>s</u> in the CA’s Certificate Policy and/or Certification Practices Statement;<o:p></o:p></p><p class=line867 style='margin-left:.5in'><b>Add a new section 7.1.3 CAA Disclosure as follows:<o:p></o:p></b></p><p class=line867 style='margin-left:.5in'>Effective as of [insert date that is six months from Ballot 125 adoption], Section 4.2 of the CA’s Certificate Policy or Certification Practice Statement SHALL set forth the CA’s policy regarding its procedures for considering CAA records for Domain Names to be listed in the Certificate’s subject field or subjectAltName extension. <o:p></o:p></p><p class=line867 style='margin-left:.5in'><strong>Add a new sentence to the end of Section 8.2.2, Disclosure, as follows:</strong> <o:p></o:p></p><p class=line874 style='margin-left:.5in'>Effective as of [insert date that is six months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy and/or Certification Practice shall disclose the CA's policy and/or practices on processing CAA records. <o:p></o:p></p><p class=line874 style='margin-left:.5in'><b>The resulting Section 8.2.2 would read as follows:<o:p></o:p></b></p><p class=line874 style='margin-left:.5in'>The CA SHALL publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA’s selected audit scheme (see Section 17.1). The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647. <u>Effective as of [insert date that is six months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement shall disclose the CA's policy and/or practices on processing CAA records.<o:p></o:p></u></p><p class=line867 style='margin-left:.5in'><strong>---MOTION ENDS---</strong><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p></div></body></html>