[cabfpub] Pre-Ballot 125 - CAA Records

Doug Beattie doug.beattie at globalsign.com
Fri Jun 27 11:42:18 MST 2014


Hi Ben,

 

We liked your original ballot, before you added this section:

 

Amend subparagraph 2 of 7.1.2 to read as follows: 

 2.  Authorization for Certificate:  That, at the time of issuance, the CA
(i) implemented procedures for verifying that the Subject authorized the
issuance of the Certificate, including procedures to (a) consider the CAA
record of each Domain Name to be listed in the Certificate's subject field
or subjectAltName extension, and (b) to establish that the Applicant
Representative is authorized to request the Certificate on behalf of the
Subject; (ii) followed the procedures when issuing the Certificate; and
(iii) accurately described the procedures in the CA's Certificate Policy
and/or Certification Practices Statement;

 

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: Friday, June 27, 2014 2:39 PM
To: 'Doug Beattie'; 'cabfpub'
Subject: RE: [cabfpub] Pre-Ballot 125 - CAA Records

 

Doug,

Could you re-state in its entirety what you'd like to see?  I'm not
following.

Thanks,

Ben

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Friday, June 27, 2014 11:43 AM
To: 'Ben Wilson'; 'cabfpub'
Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records

 

Hi Ben,

 

We can support the ballot you first drafted, but we have issues with the
recent amendment in subparagraph 2 of 7.1.2.  That is not consistent with
the goal of this ballot (have CAs publically disclose if/how they process
CAA records in the CPS) as there are some statements that go beyond that
regarding "implementing procedures.".  That should be removed from this
ballot.

 

 

Doug

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, June 27, 2014 12:14 PM
To: 'Rick Andrews'; 'cabfpub'
Subject: [cabfpub] Pre-Ballot 125 - CAA Records

 

Rick,

Here are the alternative provisions for you to look at and choose from.

Ben

 

Pre-Ballot 125 - CAA Records 

Rick Andrews of Symantec made the following motion and Jeremy Rowley of
Digicert and Ryan Sleevi of Google have endorsed it: 

Reasons for proposed ballot RFC 6844 defines a Certification Authority
Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name
holder to specify the CAs authorized to issue certificates for that domain.
Publication of the CAA allows a public Certification Authority to implement
additional controls to reduce the risk of unintended certificate
mis-issuance. 

The proponents of this ballot believe that this proposed modification to the
Baseline Requirements, which gives CAs up to six months to update their CP
and/or CPS to state the degree to which they implement CAA, provides all CAs
with the flexibility needed to begin implementation of CAA. 

---MOTION BEGINS--- 

Add to Section 4 Definitions, new item: 

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844
<http://tools.ietf.org/html/rfc6844> ): "The Certification Authority
Authorization (CAA) DNS Resource Record allows a DNS domain name holder to
specify the Certification Authorities (CAs) authorized to issue certificates
for that domain. Publication of CAA Resource Records allows a public
Certification Authority to implement additional controls to reduce the risk
of unintended certificate mis-issue." 

Amend subparagraph 2 of 7.1.2 to read as follows: 

 2.  Authorization for Certificate:  That, at the time of issuance, the CA
(i) implemented procedures for verifying that the Subject authorized the
issuance of the Certificate, including procedures to (a) consider the CAA
record of each Domain Name to be listed in the Certificate's subject field
or subjectAltName extension, and (b) to establish that the Applicant
Representative is authorized to request the Certificate on behalf of the
Subject; (ii) followed the procedures when issuing the Certificate; and
(iii) accurately described the procedures in the CA's Certificate Policy
and/or Certification Practices Statement;

Add a new section 7.1.3 CAA Disclosure as follows:

Effective as of [insert date that is six months from Ballot 125 adoption],
Section 4.2 of the CA's Certificate Policy or Certification Practice
Statement SHALL set forth the CA's policy regarding its procedures for
considering CAA records for Domain Names to be listed in the Certificate's
subject field or subjectAltName extension.  

Add a new sentence to the end of Section 8.2.2, Disclosure, as follows: 

Effective as of [insert date that is six months from Ballot 125 adoption],
section 4.2 of a CA's Certificate Policy and/or Certification Practice shall
disclose the CA's policy and/or practices on processing CAA records. 

The resulting Section 8.2.2 would read as follows:

The CA SHALL publicly disclose its Certificate Policy and/or Certification
Practice Statement through an appropriate and readily accessible online
means that is available on a 24x7 basis. The CA SHALL publicly disclose its
CA business practices to the extent required by the CA's selected audit
scheme (see Section 17.1). The disclosures MUST include all the material
required by RFC 2527 or RFC 3647, and MUST be structured in accordance with
either RFC 2527 or RFC 3647.  Effective as of [insert date that is six
months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy
and/or Certification Practice Statement shall disclose the CA's policy
and/or practices on processing CAA records.

---MOTION ENDS---

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140627/e796b15b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5615 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140627/e796b15b/attachment-0001.bin 


More information about the Public mailing list