<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 10, 2016 at 10:29 AM, Steve Medin via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> -----Original Message-----<br>
> From: Gervase Markham [mailto:<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>
> Sent: Thursday, November 10, 2016 12:40 PM<br>
> To: Steve Medin <<a href="mailto:Steve_Medin@symantec.com">Steve_Medin@symantec.com</a>>; CA/Browser Forum Public<br>
> Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
</span><span class="">> Subject: Re: [cabfpub] Draft CAA motion (2)<br>
><br>
> But here's another suggestion. Instead of mandating CAA in Mozilla policy,<br>
> we'll just say that issuing in the face of an adverse CAA record is a<br>
> serious<br>
> misissuance. Then, you'd be free to not check it as often as you liked,<br>
> relying<br>
> on your systems and contracts to save you - and the first time they went<br>
> wrong, we'd untrust your intermediate or remove your EV indicator or some<br>
> other sanction. How would that be? :-)<br>
><br>
> Gerv<br>
<br>
</span>Well, that depends on the validity of a contract from the customer that<br>
absolves the CA from the requirement to check CAA within their service.<br></blockquote><div><br></div><div>I don't really understand why you feel this way - that is, the validity of the contract doesn't seem to have any material impact on the BRs. Or, put differently, contracts neither replace nor reduce the scope of the BRs. So if Gerv put forward a ballot that said "caveat CA", and even if you had a contract that said you didn't have to, if the customer - or anyone else who checked the CAA record - pointed out to the contrary, then it would be treated as a serious misissuance. </div><div><br></div><div>So how does the contract matter?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Let customers opt out when they trust their CA and its audits and it's no<br>
longer CA policy or browsers trusting CAs. Let customers adopt CAA to block<br>
other CAs that do not hold such a contract.<br></blockquote><div><br></div><div>Let's imagine we accept this argument. Would you be open to requiring that the contract must be renegotiated any time there is a change in CAA, to ensure that, at all times, the customer is making an informed decision? Quite frankly, sometimes it takes browsers to protect users from predatory CAs, and so if say there was a change that affected or improved the security of CAA checking, the customer should be informed. Such a renegotiating-of-agreement clause would help prevent CAs from misrepresenting CAA (as some have), allow the customer flexibility, and put a burden of effort on the CA in order to replace the stronger technical guarantee. </div></div><br></div></div>