<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I can’t remember where we left off last on this, but here is what I had proposed on June 27<sup>th</sup> (but I can’t remember whether there were strong objections, and if so, for what reasons). I think someone wasn’t happen because maybe I had carved away too much in response to Stephen’s comments, but I can’t remember. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:6.0pt;text-align:justify'><b>2. Authorization for Certificate:</b> That, at the time of issuance, the CA (i) implemented a procedure for verifying that the Subject authorized the issuance of the Certificate and that the Applicant Representative is authorized to request the Certificate on behalf of the Subject; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement<u>, which, effective as of [insert date that is six months from Ballot 125 adoption], SHALL set forth in Section 4.2 whether the CA reviews CAA records, and if so, the CA’s policy on processing CAA records for all Domain Names in Common Names and all Subject Alternative Name fields to be included in a Certificate</u>.” <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Stephen Davidson<br><b>Sent:</b> Tuesday, July 15, 2014 1:42 PM<br><b>To:</b> Rick Andrews; Geoff Keating<br><b>Cc:</b> cabfpub<br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>See Ben’s email with alternative text below:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Wednesday, May 14, 2014 5:46 PM<br><b>To:</b> 'CABFPub'<br><b>Subject:</b> Re: [cabfpub] Revisiting CAA<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>For consideration and discussion tomorrow as an alternative wording/structure to Rick’s proposed ballot:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Add new definition<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></b></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>CAA</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>: From RFC 6844 (<a href="http://tools.ietf.org/html/rfc6844):">http:tools.ietf.org/html/rfc6844):</a> “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Amend subparagraph 2 of 7.1.2 as follows: <o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2. Authorization for Certificate: That, at the time of issuance, the CA (i) implemented a procedures for verifying that the Subject authorized the issuance of the Certificate<u>, including procedures to (a) consider the CAA record of each Domain Name to be listed in the Certificate’s subject field or subjectAltName extension,</u> and <s>that</s> <u>(b) to establish that</u> the Applicant Representative is authorized to request the Certificate on behalf of the Subject; (ii) followed the procedure<u>s</u> when issuing the Certificate; and (iii) accurately described the procedure<u>s</u> in <u>Section 4.2 of</u> the CA’s Certificate Policy <s>and/</s>or Certification Practices Statement;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[Note that regardless of whether it is RFC 2527 or RFC 36547, CAA processes should appear in section 4.2 of a CP or CPS (Certificate Application Processing, when based on RFC 3647, and Certificate Issuance, when based on RFC 2527).]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Add a new 7.1.3 CAA Disclosure<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Section 4.2 of the CA’s Certificate Policy or Certification Practice Statement SHALL either describe or disclaim the CA’s procedures undertaken to check CAA records. A CA MAY disclaim that it considers CAA records, as long as that disclaimer appears in Section 4.2 of that CA’s Certificate Policy or Certification Practice Statement. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rick Andrews [<a href="mailto:Rick_Andrews@symantec.com">mailto:Rick_Andrews@symantec.com</a>] <br><b>Sent:</b> Tuesday, July 15, 2014 4:40 PM<br><b>To:</b> Stephen Davidson; Geoff Keating<br><b>Cc:</b> cabfpub<br><b>Subject:</b> RE: [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Stephen, what in the proposed text leads you to believe that it’s not clear we’re talking about (a)?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rick Andrews <br><b>Sent:</b> Tuesday, July 15, 2014 12:39 PM<br><b>To:</b> 'Stephen Davidson'; Geoff Keating<br><b>Cc:</b> cabfpub<br><b>Subject:</b> RE: [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Stephen, IMO the intent of the ballot has always been (a). If anyone disagrees, please speak up.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.0in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Stephen Davidson [<a href="mailto:S.Davidson@quovadisglobal.com">mailto:S.Davidson@quovadisglobal.com</a>] <br><b>Sent:</b> Tuesday, July 15, 2014 12:31 PM<br><b>To:</b> Rick Andrews; Geoff Keating<br><b>Cc:</b> cabfpub<br><b>Subject:</b> RE: [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks guys. I think it still needs to be resolved which approach the ballot will take: a) CAs needing to state their CAA approach, or b) CAs needing to implement auditable CAA checks and state their policies for handling the info.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards, Stephen<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.0in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rick Andrews [<a href="mailto:Rick_Andrews@symantec.com">mailto:Rick_Andrews@symantec.com</a>] <br><b>Sent:</b> Tuesday, July 15, 2014 4:05 PM<br><b>To:</b> Geoff Keating; Stephen Davidson<br><b>Cc:</b> cabfpub<br><b>Subject:</b> RE: [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I agree with Geoff. CAs will typically issue a DNS query for just CAA records, not ANY. And if you’re worried about the impact to the client that’s looking up the address for <a href="http://www.example.com">www.example.com</a> in DNS, they also will not be affected by the addition of CAA records because they’ll be asking for A or AAAA records, not ANY.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I believe there’s no technical size concern here. I think the original comment came from Sigbjørn at Opera. If you’re still on the list, Siggy, would you please comment? Or perhaps someone else from Opera can comment?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I know of no other issues, so perhaps we can proceed with balloting this?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Geoff Keating<br><b>Sent:</b> Monday, June 30, 2014 10:18 AM<br><b>To:</b> Stephen Davidson<br><b>Cc:</b> cabfpub<br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 125 - CAA Records<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:1.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:1.5in'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:1.5in'>On 30 Jun 2014, at 8:17 am, Stephen Davidson <<a href="mailto:S.Davidson@quovadisglobal.com">S.Davidson@quovadisglobal.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.5in'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>During the CABF discussion about CAA in June 2013, a browser representative pointed out that companies may hit against size constraints when using CAA:</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div style='margin-left:.5in'><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Adding the records increased our authoritative nameserver's DNS response from an already juicy 458 bytes to supreme juicyness of 506 bytes (512 bytes is still somewhat of the limit, at the very least resource usage will increase when topping that).</span><o:p></o:p></p></div><div style='margin-left:.5in'><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And besides, we've seen that before of course, and our TXT SPF record is the main offender here, but 506 byte responses is probably on the "winning" side when it comes to selecting authoritative DNS servers for DNS amplification attacks.<span class=apple-converted-space> </span><span style='background:yellow'>Or spoken more generally: Maybe the CABForum should discuss how eager the community is to add a potential massive load of additional records to the root element of a zone/"domain".</span></span><o:p></o:p></p></div><div style='margin-left:.5in'><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;background:yellow'>If you use more than one CA for signing "https" certs, this can quickly explode in size all on itself, without the help of SPF entries in the zone. I'd guess this needs to be discussed.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The technical discussion dropped off at this point. I believe it bears further analysis.</span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:1.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'>I presume here we're talking about an ANY query, since a CAA response itself is usually small by itself. In that case it should be considered that an ANY query for <a href="http://icann.org">icann.org</a> is 5278 bytes, and even TLDs like com. or us. are 1555 bytes and 538 bytes respectively.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'>In actual use there should be no problem since real queries (as opposed to those intended for DoS) will not ask for the CAA record and so won't get it.<o:p></o:p></p></div></div></body></html>