[cabfpub] Pre-Ballot 125 - CAA Records

Ben Wilson ben.wilson at digicert.com
Fri Aug 29 14:02:05 MST 2014

Picking up where we left off .. attached is the redlined version that I
think is closest to where we were on this issue:

1.  In Section 4 of the Baseline Requirements, add a definition for CAA
Record as follows: 

CAA Record: The Certification Authority Authorization (CAA) DNS Resource
Record of RFC 6844
(http:tools.ietf.org/html/rfc6844) that allows a DNS domain name holder to
specify the Certification Authorities
(CAs) authorized to issue certificates for that domain. Publication of a CAA
Resource Record allows public
Certification Authorities to implement additional controls to reduce the
risk of unintended certificate mis-issue.
We might want to abbreviate this definition a bit.

2.  In Section 8.2.2 (instead of editing warranties in section 7.1.2 or
verification practices in section 11, as some have suggested) add the
following to the end of the paragraph on Disclosure:

Effective as of [insert date that is six months from Ballot 125 adoption],
section 4.2 of a CA's Certificate Policy and/or Certification Practice
Statement (section 4.1 for CA’s still conforming to RFC 2527) shall
disclose: (1) whether the CA reviews CAA Records, and if so, (2) the CA’s
policy or practice on processing CAA Records and comparing them with
proposed Domain Names for the Common Name field or Subject Alternative Name
fields of certificates applications, and (3) any actions taken as result of
such comparison.

Any comments or suggestions are welcome.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sigbjørn Vik
Sent: Tuesday, July 22, 2014 12:47 AM
To: Rick Andrews; Geoff Keating; Stephen Davidson
Cc: cabfpub
Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records

On 21-Jul-14 20:11, Rick Andrews wrote:
> Siggy, how does the addition of a CAA record make DoS or DNS amplification
attacks more problematic?

I am no DNS expert, merely relaying comments from our sysadmin. If people
with more knowledge in the field conclude that this is not an issue, that is
fine with me, but it should be considered.

> -----Original Message-----
> From: Sigbjørn Vik [mailto:sigbjorn at opera.com]
> Sent: Monday, July 21, 2014 12:21 AM
> To: Rick Andrews; Geoff Keating; Stephen Davidson
> Cc: cabfpub
> Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records
> On 17-Jul-14 23:51, Rick Andrews wrote:> Siggy,
>> There are a number of Security Considerations in Section 6 of the CAA 
>> RFC (_http://tools.ietf.org/html/rfc6844#page-13_) which detail 
>> possible abuse.
> I don't see DoS or DNS amplification listed there.
> --
> Sigbjørn Vik
> Opera Software

Sigbjørn Vik
Opera Software
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BR-Ballot-125-CAA.pdf
Type: application/pdf
Size: 195143 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140829/5d71f283/attachment-0001.pdf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140829/5d71f283/attachment-0001.bin 

More information about the Public mailing list