[cabfpub] CAA Proposal

[Jeremy Rowley]

Although I am starting to like the concept of CAA, I think this is an
improper way to implement a CAA requirement.  If a CA already has rigorous
validation practices and can accurately identify the request as originating
from the proper entity, I'm not sure that additional checks are necessary. 

 

If we plan to implement CAA in the Forum, we should develop a discernible
standard that can be used to measure compliance.  In fact, perhaps the RFC
should be revised prior to the Forum's adoption to identify what additional
verification requirements should be considered necessary before issuance of
a certificate.  That way the Forum has a basis for setting the additional
checks and CAs will have a better understanding of how to comply.

 

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Phillip
Sent: Friday, June 07, 2013 10:10 AM
To: public at cabforum.org
Subject: [cabfpub] CAA Proposal

 

Following up on the CAA threads, I would like to propose the following
(subject to discussion):

 

1) CABForum endorse the publication of CAA records by domain name owners to
mitigate the risk of issue of certificates in response to an unauthorized or
fraudulent request.

 

2) The Basic requirements be updated to add a requirement that CAs state
their policy for use of CAA records in their CPS.

 

"A CA MUST state its policy for processing CAA records as defined in RFC
6844"

 

 

Rationale: 

 

http://tools.ietf.org/html/rfc6844

 

To be compliant with the RFC, a CA MUST comply with the requirements of
section 4:

 

Before issuing a certificate, a compliant CA MUST check for
   publication of a relevant CAA Resource Record set.  If such a record
   set exists, a CA MUST NOT issue a certificate unless the CA
   determines that either (1) the certificate request is consistent with
   the applicable CAA Resource Record set or (2) an exception specified
   in the relevant Certificate Policy or Certification Practices
   Statement applies.

 

A CA can be minimally compliant with the specification by simply publishing
a statement that says that they retrieve and process CAA records for each
request and then grant an automatic exception in every case.

 

This is deliberate because there is a peculiar edge case in which the Domain
Name owner does not control their DNS publication infrastructure and the
party that does inserts a spurious CAA record to limit competition. It also
avoided the need for theological debates on what is and is not a public
delegation point.

 

The point of CAA is to benefit CAs by reducing the cost of detecting
potential fraudulent applications and mitigating the risk of issuing a
certificate. But as with any other validation check, the response to a
request that is non-consistent is not going to be to kick the request back
to manual processing. There is going to be a person in the loop making
enquiries. Either the CAA record is spurious and the CA wants to get it
changed so that they can take the business or they have just detected an
unauthorized request which they are going to want to look at an analyze and
study.

 

A CA could write a CPS statement that says they look at CAA records and then
ignore them completely but that would not look good. I think it rather more
likely that it would say something like they have some sort of process for
determining that CAA records do not represent the intention of the Domain
Owner and publish a list of domains they will ignore CAA records from. This
might include top-level domains like .com etc. But the fact that CAs have
the option of ignoring the CAA records is probably sufficient to deter an
attack.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130607/2681aa0c/attachment-0003.html>