<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>Speaking as someone who has implemented it in the past, CAA isn’t tough to implement in a script—particularly for your own domains—and it can also be checked manually using various DNS tools. If there’s someone out there who falls into that category, I would think three months isn’t too egregious a timeline to figure out at least something rudimentary. I like the thought, but I lean more towards a tighter timeline on this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (</span><a href="mailto:jopurvis@cisco.com"><span style='font-size:9.0pt;font-family:Consolas;color:#954F72'>jopurvis@cisco.com</span></a><span style='font-size:9.0pt;font-family:Consolas;color:black'>)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | Controls and Trust Verification</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Reply-To: </b>Bruce Morton <Bruce.Morton@entrust.com>, CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Date: </b>Thursday, 8 April, 2021 at 17:13<br><b>To: </b>Ryan Sleevi <sleevi@google.com><br><b>Cc: </b>CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Subject: </b>Re: [Servercert-wg] [EXTERNAL] Seeking endorsers: Draft ballot to sunset the CAA exception<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>No I have nothing specific. I was just concerned that there might be an unconstrained third-party subCA, which did not do CAA based on the exception. If the fix is to implement CAA, then my thinking was the effective date may be too short.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks for doing the research.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Bruce.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Ryan Sleevi <sleevi@google.com> <br><b>Sent:</b> Thursday, April 8, 2021 1:33 PM<br><b>To:</b> Bruce Morton <Bruce.Morton@entrust.com><br><b>Cc:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> Re: [EXTERNAL] [Servercert-wg] Seeking endorsers: Draft ballot to sunset the CAA exception<o:p></o:p></p></div><p class=MsoNormal> <o:p></o:p></p><div><div><p class=MsoNormal>Hi Bruce,<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Could you explain more about the enterprise CA scenario? Were you thinking technically-constrained sub-CA, or independently operated sub-CA (since you can't delegate domain validation to an enterprise RA, and the validation has to be performed by the CA)<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>For a TCSC, this doesn't change the requirements, so that should be fine.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>For an independently operated third-party CA, in order to take advantage of this exception, they have to implement an even <i>more</i> complex validation flow than CAA. This was meant to provide an escape hatch for organizations who were using DNS libraries that didn't support CAA, but doesn't absolve them of at-issuance verification (to determine they're the DNS Operator).<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>From examining CP/CPSes (where CAs need to disclose this), I'm only aware of a very small list of CAs that rely on this, and they already support CAA (this is largely just a fallback mechanism for them).<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>So that's the rationale for the window being July, even though all indications (including from those CAs) is that this could be effective immediately, if not for the CPS update requirement.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>That said, if you're aware of things being overlooked or concerned about other impact, totally open for discussion on that technical merit.<o:p></o:p></p></div><p class=MsoNormal> <o:p></o:p></p><div><div><p class=MsoNormal>On Thu, Apr 8, 2021 at 8:49 AM Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>No objection to sunsetting the CAA exception. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Although this change will not impact Entrust, I would be concerned if the exception is being used by an dedicated enterprise CA which has not implemented CAA. In this case the 3 months give or take, which is really about 1 month after IPR, would probably not be sufficient for this type of CA to implement CAA.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I would consider giving a more than generous period to implement. This would allow the ballot discussion to be based on its technical merit and eliminate the debate on time to implement.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Bruce.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>> <b>On Behalf Of </b>Ryan Sleevi via Servercert-wg<br><b>Sent:</b> Wednesday, April 7, 2021 5:29 PM<br><b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject:</b> [EXTERNAL] [Servercert-wg] Seeking endorsers: Draft ballot to sunset the CAA exception<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=0 width="100%" align=center></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm looking for endorsers to a draft ballot to sunset the CAA exception afforded to DNS operators.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>You can see the proposed language is available at <a href="https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/main...sleevi:caa_exception__;!!FJ-Y8qCqXTj2!I_8LQ0eTPSBoT_3giJUD1Eb3uHqVjOAibYmX61fOZBfUFcoXqBpkX57XaeoXnC-FpUA$" target="_blank">https://github.com/cabforum/servercert/compare/main...sleevi:caa_exception</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The motivation is fairly simple: In looking at CA practices and CA incidents, the current implementation introduces significant risk in terms of CA's understanding the requirements and appropriately implementing them.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The logic involved in determining whether or not the CA is the DNS Operator is quite complex, and requires a thorough knowledge of DNS protocols. In practice, what we've seen is CAs simply self-attesting that they are the DNS Operator, and not implementing those checks as required, which then further leads to non-compliance incidents that CAA can and would have prevented.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Given that it's now been several years of CAA, and we've seen it already used to enhance and improve our validation methods, requiring a consistent checking of CAA (with the exception of technically-constrained sub-CAs or when the CA has already logged a pre-certificate) seems like a reasonable balance.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The CT Log exception is also tricky, and so it may be worth revisiting whether it's necessary, but this ballot doesn't do that yet.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The sunset proposed is three months from now (give or take), which was chosen because the actual use/reliance upon this exception is quite rare, and the CAs that currently rely on it already have some form of CAA checking implemented, to the best of my knowledge. If there are concerns with the timeline, concrete details, as always, are welcome.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></blockquote></div></div></div></body></html>