<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:HelveticaNeue;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>We had the Lamps meeting and discussed CAA. I think we now have a clear path on how to proceed and what is in scope of the document and what is not.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I won’t try to explain it now due to the teleconferencing lag kicking in.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Ben Wilson [mailto:ben.wilson@digicert.com] <br><b>Sent:</b> Thursday, November 16, 2017 11:26 AM<br><b>To:</b> Geoff Keating <geoffk@apple.com>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Phillip <philliph@comodo.com><br><b>Subject:</b> RE: [cabfpub] CAA working group description<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a name="_MailEndCompose">Let’s put this on the agenda for next CABF teleconference.<o:p></o:p></a></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-bottom:2.0pt'><span style='mso-bookmark:_MailEndCompose'><b><span style='font-family:"Arial",sans-serif;color:#0174C3'>Ben Wilson, JD, CISA, CISSP<o:p></o:p></span></b></span></p><p class=MsoNormal style='margin-bottom:2.0pt'><span style='mso-bookmark:_MailEndCompose'><span style='font-family:"Arial",sans-serif;color:#686869'>VP Compliance<o:p></o:p></span></span></p><p class=MsoNormal style='margin-bottom:2.0pt'><span style='mso-bookmark:_MailEndCompose'><span style='font-family:"Arial",sans-serif;color:#686869'>+1 801 701 9678<o:p></o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><img width=133 height=29 style='width:1.3819in;height:.3055in' id="Picture_x0020_1" src="cid:image001.jpg@01D35EE4.08C614F0"><o:p></o:p></span></p></div><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><o:p> </o:p></span></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Geoff Keating via Public<br><b>Sent:</b> Monday, October 9, 2017 5:04 PM<br><b>To:</b> Phillip <<a href="mailto:philliph@comodo.com">philliph@comodo.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><b>Subject:</b> Re: [cabfpub] CAA working group description<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I tried to write the CABForum WG charter so that it did not include changes to the CAA specification itself; these should indeed be handled at the IETF level. This WG is about adoption of CAA in the Baseline Requirements. Some topics we might cover are:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- Requirement for DNSSEC checking—for example, we might extend the current requirements so that CAs obtain and retain a record of the NSEC/NSEC3 record proving a subdomain does not use DNSSEC, even if they don’t actually check the crypto<o:p></o:p></p></div><div><p class=MsoNormal>- Error handling—for example, perhaps repeated failure to find a record should be treated as if the record is missing, rather than the current interpretation where we treat it as if the record exists and allows issuance, or we might just go to fail-closed<o:p></o:p></p></div><div><p class=MsoNormal>- Adoption of any new IETF RFCs, which may need to be phased in<o:p></o:p></p></div><div><p class=MsoNormal>- Adoption of any new IETF Errata<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don’t think any of these apply at the IETF level; I’m sure the IETF is not going to specify a ‘what if you only wanted a little bit of DNSSEC’ configuration, I think the IETF RFC should specify fail-closed because that’s the only fully secure approach, and the IETF can’t specify adoption of their standards in the Baseline Requirements.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On 5 Oct 2017, at 11:09 am, Phillip via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>I can well imagine a possibility where the IETF WG might leave some parts of the specification specified in less detail than would be desirable for compliance purposes and thus make work in CABForum desirable. But lets cross that bridge if we come to it.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>What somewhat worries me is a situation in which I have ten CABForum members tell me that they really want X in a CABForum group and then I report that into the IETF WG and three people say they have other ideas and there being 3 of them and one of me, they represent the consensus. IETF process does allow for liasons and there might be an argument for a CABForum/IETF liason. But that does not seem like the right approach here.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><div><p class=MsoNormal><b>From:</b><span class=apple-converted-space> </span>Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]<span class=apple-converted-space> </span><b>On Behalf Of<span class=apple-converted-space> </span></b>Ryan Sleevi via Public<br><b>Sent:</b><span class=apple-converted-space> </span>Thursday, October 5, 2017 1:52 PM<br><b>To:</b><span class=apple-converted-space> </span>Jacob Hoffman-Andrews <<a href="mailto:jsha@letsencrypt.org">jsha@letsencrypt.org</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><b>Subject:</b><span class=apple-converted-space> </span>Re: [cabfpub] CAA working group description<o:p></o:p></p></div></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><p class=MsoNormal>I agree with both Phillip and Jacob here. I think LAMPS is a great venue for working out the technical issues of discussion - and identifying where policy flexibility is needed or the challenges - and then bringing that as maybe one or two more ballots into the Forum. I think the technical clarifications and edge cases that we've seen discussed are totally within the realm of IETF's goals of interoperability, so we should try to use that as much as possible :)<o:p></o:p></p></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal>The extent of Forum ballots seems like it may be adopting one or two more technical erratum (if interoperability issues arise and raised in IETF), and then potentially exploring adopting the newer version being proposed in LAMPS once completed.<o:p></o:p></p></div></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><p class=MsoNormal>On Thu, Oct 5, 2017 at 10:40 AM, Jacob Hoffman-Andrews via Public <<a href="mailto:public@cabforum.org" target="_blank"><span style='color:purple'>public@cabforum.org</span></a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal>With respect, I would suggest that there is already a CAA working group: the IETF LAMPS WG at<span class=apple-converted-space> </span><a href="https://datatracker.ietf.org/wg/lamps/charter/" target="_blank"><span style='color:purple'>https://datatracker.ietf.org/wg/lamps/charter/</span></a>. It has the advantage of being open for anyone to join and post, so CAs can more easily have conversations with Subscribers and Relying Parties. If half of the CAA conversation happens in LAMPS and half happens here, it will be harder for Subscribers and Relying Parties to fully participate.<o:p></o:p></p></div><div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal>I'd definitely encourage anyone in the CA/Browser Forum who is interested in CAA issues to join the LAMPS mailing list at<span class=apple-converted-space> </span><a href="https://www.ietf.org/mailman/listinfo/spasm" target="_blank"><span style='color:purple'>https://www.ietf.org/mailman/listinfo/spasm</span></a><span class=apple-converted-space> </span>(confusingly, the mailing list is named SPASM, a holdover from an earlier name).<o:p></o:p></p></div></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal>I think it's likely there will be another ballot or two in the CA/Browser Forum clarifying some of the language we use to incorporate CAA, but I think the amount of work is not enough to justify splitting out a second working group.<o:p></o:p></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org"><span style='color:purple'>Public@cabforum.org</span></a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style='color:purple'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p></blockquote></div><div><p class=MsoNormal> <o:p></o:p></p></div></div></div><p class=MsoNormal><span style='font-size:9.0pt;font-family:HelveticaNeue'>_______________________________________________<br>Public mailing list<br></span><a href="mailto:Public@cabforum.org"><span style='font-size:9.0pt;font-family:HelveticaNeue;color:purple'>Public@cabforum.org</span></a><span style='font-size:9.0pt;font-family:HelveticaNeue'><br></span><a href="https://cabforum.org/mailman/listinfo/public"><span style='font-size:9.0pt;font-family:HelveticaNeue;color:purple'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>