[cabfpub] CAA Proposal

Ryan Sleevi sleevi at google.com
Tue Jun 11 18:11:16 UTC 2013


Phil,

If you want to put forward a motion, I think we'd be happy to endorse
it. Minimally, CAA provides a strong signal that the domain owner
would prefer to be treated at a minimum as a "High Risk Request", and
provides CAs an even better indicator as to the legitimacy of
requests.

So +1 to seeing the CA/Browser Forum encourage its adoption.

Cheers,
Ryan

On Fri, Jun 7, 2013 at 9:10 AM, Phillip <philliph at comodo.com> wrote:
> Following up on the CAA threads, I would like to propose the following
> (subject to discussion):
>
> 1) CABForum endorse the publication of CAA records by domain name owners to
> mitigate the risk of issue of certificates in response to an unauthorized or
> fraudulent request.
>
> 2) The Basic requirements be updated to add a requirement that CAs state
> their policy for use of CAA records in their CPS.
>
> "A CA MUST state its policy for processing CAA records as defined in RFC
> 6844"
>
>
> Rationale:
>
> http://tools.ietf.org/html/rfc6844
>
> To be compliant with the RFC, a CA MUST comply with the requirements of
> section 4:
>
> Before issuing a certificate, a compliant CA MUST check for
>    publication of a relevant CAA Resource Record set.  If such a record
>    set exists, a CA MUST NOT issue a certificate unless the CA
>    determines that either (1) the certificate request is consistent with
>    the applicable CAA Resource Record set or (2) an exception specified
>    in the relevant Certificate Policy or Certification Practices
>    Statement applies.
>
>
> A CA can be minimally compliant with the specification by simply publishing
> a statement that says that they retrieve and process CAA records for each
> request and then grant an automatic exception in every case.
>
> This is deliberate because there is a peculiar edge case in which the Domain
> Name owner does not control their DNS publication infrastructure and the
> party that does inserts a spurious CAA record to limit competition. It also
> avoided the need for theological debates on what is and is not a public
> delegation point.
>
> The point of CAA is to benefit CAs by reducing the cost of detecting
> potential fraudulent applications and mitigating the risk of issuing a
> certificate. But as with any other validation check, the response to a
> request that is non-consistent is not going to be to kick the request back
> to manual processing. There is going to be a person in the loop making
> enquiries. Either the CAA record is spurious and the CA wants to get it
> changed so that they can take the business or they have just detected an
> unauthorized request which they are going to want to look at an analyze and
> study.
>
> A CA could write a CPS statement that says they look at CAA records and then
> ignore them completely but that would not look good. I think it rather more
> likely that it would say something like they have some sort of process for
> determining that CAA records do not represent the intention of the Domain
> Owner and publish a list of domains they will ignore CAA records from. This
> might include top-level domains like .com etc. But the fact that CAs have
> the option of ignoring the CAA records is probably sufficient to deter an
> attack.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>



More information about the Public mailing list