<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.im
{mso-style-name:im;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Segoe UI",sans-serif;
color:#1F497D;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif;color:#1F497D">I’m just trying to rationalize the security benefit of a company like Microsoft checking CAA on every certificate it issues when it’s never going to issue to a third party. The
amount of work is high and there’s almost no return for that for us because we only issue certs to Microsoft and Microsoft properties like Azure and Office.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b>From:</b> Richard Barnes [mailto:rbarnes@mozilla.com] <br>
<b>Sent:</b> Thursday, October 27, 2016 3:45 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Cc:</b> Jody Cloutier <jodycl@microsoft.com><br>
<b>Subject:</b> Re: [cabfpub] Continuing the discussion on CAA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Oct 27, 2016 at 6:33 PM, Jody Cloutier via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">Question: If a company has trusted roots, but it does not issue roots to the general public, would it still have to check the CAA database?<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I assume you mean "issue certificates"?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I'm not sure what you mean by "not issuing to the general public", but I'm concerned about heading back toward the "internal names" exception that we killed not so long ago.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">--Richard<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span class="im">-----Original Message-----</span><br>
<span class="im">From: Public [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] On Behalf Of Andrew Ayer via Public</span><br>
<span class="im">Sent: Tuesday, October 25, 2016 10:32 AM</span><br>
<span class="im">To: <a href="mailto:public@cabforum.org">public@cabforum.org</a></span><br>
<span class="im">Subject: Re: [cabfpub] Continuing the discussion on CAA</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On Mon, 24 Oct 2016 18:52:06 +0000<br>
Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br>
<br>
> "CAA records MAY be used by Certificate Evaluators as a possible<br>
> indicator of a security policy violation. Such use SHOULD take<br>
> account of the possibility that published CAA records changed<br>
> between the time a certificate was issued and the time at which the<br>
> certificate was observed by the Certificate Evaluator."<br>
><br>
> I know it says this, but I'm not sure how this would ever happen in<br>
> practice. That seems more like the role of CT over CAA.<br>
<br>
CT finds certificates but doesn't tell you whether a certificate was authorized or not. A CT monitor could check CAA records and raise an alarm if a certificate was issued by an unauthorized CA.<br>
<br>
Regards,<br>
Andrew<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>