[cabfpub] CAA (was RE: Domain Control Validation)

Phillip Hallam-Baker philliph at comodo.com
Mon Aug 25 15:04:44 MST 2014

CAA was designed to allow for hooks to do that type of thing

Right now I am looking at the following EE certificate issue scenarios

* To users of email for end to end security
* For short lifetime certificates to eliminate the need for revocation / status reports
* For short lifetime certificates for use in cloud computing applications.

I would like us to be able to get to an automated mechanism that enables all of these and be compatible with CT.

Since end to end email is likely to be the vehicle on which this rides it will be necessary to support issue of S/MIME or PGP type credentials. Since everyone hates ASN.1 it might be easiest to get agreement by suggesting we do PKIX plus hooks for a JSON scheme.

On Aug 25, 2014, at 4:25 PM, Chris Palmer <palmer at google.com> wrote:

> On Mon, Aug 25, 2014 at 1:19 PM, Ben Wilson <ben.wilson at digicert.com> wrote:
>> Ben W. said, “if the CA gives the applicant a code that they need to put in
>> the TXT record, and that happens,” and
>> Ryan S. replied, “I think a CA-generated code with the DNS admin placing it
>> is equivalent to mechanisms 1-6 for control demonstration purposes”.
>> I think we ought to allow this as another method of confirming domain
>> control for purposes of EV.
> You'd want to also specify time-limits, one-time-use, and
> non-replayability for the token.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list