<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Although CAA was designed around DNS, the actual record isn’t relevant DNS information. Since CAA is a policy decision that is being included in DNS as a convenient means of dissemination, any suitable replacement should be just as good if it has the same reliability of conveying info as the DNS records. Therefore, the structure of CAA doesn’t necessarily need to reflect the structure of DNS. What if the primary label just contained all the CAs authorized for the domain? A simpler way to do this would simply have the base domain indicate whether the policy applies to all other domains. This is already permitted in CAA with wildcards so simply adding a tag that specifies “apply to all domains” would be easier (Indeed – the spec is designed for this). How about PHB adds a tag of “base-approval=1” as a flag to indicate all superior labels are considered approved IF the flag is set. If the flag is not set, validation would have to occur at each node. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Tuesday, October 25, 2016 6:49 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> Gervase Markham <gerv@mozilla.org>; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Continuing the discussion on CAA<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Oct 25, 2016 at 4:26 PM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Why not change how CAA so it works? Make it a base-domain check rather than a<br>hierarchy. Or have the base domain list all of the approved CAs? I realize<br>this will require a bis, but perhaps if the CAA record contained a "master<br>list" with a limit on who can approve at the base domain then that would work.<br>I was thinking of a system where you could specify the labelset property tag<br>applicable to the permission:<br><br>CAA 0 lbl=0 iodef "<a href="http://iodef.example.com/" target="_blank">http://iodef.example.com/</a>"<br><br>Where lbl is optional and defines the scope of the permission. This does put<br>the burden on the base domain holder to specify the acceptable root CAs, but<br>that burden is essentially already there with the permitted validation<br>processes.<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The choice of how CAA was designed was to reflect how DNS works, and the DNS hierarchy. As proposed, this would allow, for example, the operators of .com, .cn, or .ru to restrict which CAs can be used within their countries - which, while perhaps possible today, is certainly not an intended use case for CAA. Unless, of course, you're suggesting it requires multiple labels - but now you're into the problem of determining scope of authority, which is an unsolved problem, if you're not explicitly working from the top down.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not sure about your proposed syntax and how it maps into how CAA is defined, but that sounds like an even more substantive update that would necessitate fully replacing/obsoleting the existing CAA record.<o:p></o:p></p></div></div></div></div></div></body></html>