<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">I tried to write the CABForum WG charter so that it did not include changes to the CAA specification itself; these should indeed be handled at the IETF level. This WG is about adoption of CAA in the Baseline Requirements. Some topics we might cover are:</div><div class=""><br class=""></div><div class="">- Requirement for DNSSEC checking—for example, we might extend the current requirements so that CAs obtain and retain a record of the NSEC/NSEC3 record proving a subdomain does not use DNSSEC, even if they don’t actually check the crypto</div><div class="">- Error handling—for example, perhaps repeated failure to find a record should be treated as if the record is missing, rather than the current interpretation where we treat it as if the record exists and allows issuance, or we might just go to fail-closed</div><div class="">- Adoption of any new IETF RFCs, which may need to be phased in</div><div class="">- Adoption of any new IETF Errata</div><div class=""><br class=""></div><div class="">I don’t think any of these apply at the IETF level; I’m sure the IETF is not going to specify a ‘what if you only wanted a little bit of DNSSEC’ configuration, I think the IETF RFC should specify fail-closed because that’s the only fully secure approach, and the IETF can’t specify adoption of their standards in the Baseline Requirements.</div><div><br class=""><blockquote type="cite" class=""><div class="">On 5 Oct 2017, at 11:09 am, Phillip via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I can well imagine a possibility where the IETF WG might leave some parts of the specification specified in less detail than would be desirable for compliance purposes and thus make work in CABForum desirable. But lets cross that bridge if we come to it.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">What somewhat worries me is a situation in which I have ten CABForum members tell me that they really want X in a CABForum group and then I report that into the IETF WG and three people say they have other ideas and there being 3 of them and one of me, they represent the consensus. IETF process does allow for liasons and there might be an argument for a CABForum/IETF liason. But that does not seem like the right approach here.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="border-style: none none none solid; border-left-width: 1.5pt; border-left-color: blue; padding: 0in 0in 0in 4pt;" class=""><div class=""><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class="">From:</b><span class="Apple-converted-space"> </span>Public [<a href="mailto:public-bounces@cabforum.org" class="">mailto:public-bounces@cabforum.org</a>]<span class="Apple-converted-space"> </span><b class="">On Behalf Of<span class="Apple-converted-space"> </span></b>Ryan Sleevi via Public<br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Thursday, October 5, 2017 1:52 PM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Jacob Hoffman-Andrews <<a href="mailto:jsha@letsencrypt.org" class="">jsha@letsencrypt.org</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [cabfpub] CAA working group description<o:p class=""></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I agree with both Phillip and Jacob here. I think LAMPS is a great venue for working out the technical issues of discussion - and identifying where policy flexibility is needed or the challenges - and then bringing that as maybe one or two more ballots into the Forum. I think the technical clarifications and edge cases that we've seen discussed are totally within the realm of IETF's goals of interoperability, so we should try to use that as much as possible :)<o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The extent of Forum ballots seems like it may be adopting one or two more technical erratum (if interoperability issues arise and raised in IETF), and then potentially exploring adopting the newer version being proposed in LAMPS once completed.<o:p class=""></o:p></div></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On Thu, Oct 5, 2017 at 10:40 AM, Jacob Hoffman-Andrews via Public <<a href="mailto:public@cabforum.org" target="_blank" style="color: purple; text-decoration: underline;" class="">public@cabforum.org</a>> wrote:<o:p class=""></o:p></div><blockquote style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;" class="" type="cite"><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">With respect, I would suggest that there is already a CAA working group: the IETF LAMPS WG at<span class="Apple-converted-space"> </span><a href="https://datatracker.ietf.org/wg/lamps/charter/" target="_blank" style="color: purple; text-decoration: underline;" class="">https://datatracker.ietf.org/wg/lamps/charter/</a>. It has the advantage of being open for anyone to join and post, so CAs can more easily have conversations with Subscribers and Relying Parties. If half of the CAA conversation happens in LAMPS and half happens here, it will be harder for Subscribers and Relying Parties to fully participate.<o:p class=""></o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I'd definitely encourage anyone in the CA/Browser Forum who is interested in CAA issues to join the LAMPS mailing list at<span class="Apple-converted-space"> </span><a href="https://www.ietf.org/mailman/listinfo/spasm" target="_blank" style="color: purple; text-decoration: underline;" class="">https://www.ietf.org/mailman/listinfo/spasm</a><span class="Apple-converted-space"> </span>(confusingly, the mailing list is named SPASM, a holdover from an earlier name).<o:p class=""></o:p></div></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I think it's likely there will be another ballot or two in the CA/Browser Forum clarifying some of the language we use to incorporate CAA, but I think the amount of work is not enough to justify splitting out a second working group.<o:p class=""></o:p></div></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br class="">_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" style="color: purple; text-decoration: underline;" class="">Public@cabforum.org</a><br class=""><a href="https://cabforum.org/mailman/listinfo/public" target="_blank" style="color: purple; text-decoration: underline;" class="">https://cabforum.org/mailman/listinfo/public</a><o:p class=""></o:p></p></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></div></div><span style="font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Public mailing list</span><br style="font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:Public@cabforum.org" style="color: purple; text-decoration: underline; font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">Public@cabforum.org</a><br style="font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="https://cabforum.org/mailman/listinfo/public" style="color: purple; text-decoration: underline; font-family: HelveticaNeue; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://cabforum.org/mailman/listinfo/public</a></div></blockquote></div><br class=""></body></html>