[cabfpub] Pre-Ballot 125 - CAA Records

Ben Wilson ben at digicert.com
Thu Jun 26 21:59:51 UTC 2014


Based on our discussions over the last two months, I'm thinking that we are
currently in a position to discuss something similar to the following as a
ballot proposal.  (FWIW - this is very similar to what Phill originally
proposed back on January 8, 2013.)

Pre-Ballot 125 - CAA Records 

Rick Andrews of Symantec made the following motion and Jeremy Rowley of
Digicert and Ryan Sleevi of Google have endorsed it: 

Reasons for proposed ballot RFC 6844 defines a Certification Authority
Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name
holder to specify the CAs authorized to issue certificates for that domain.
Publication of the CAA allows a public Certification Authority to implement
additional controls to reduce the risk of unintended certificate
mis-issuance. 

The proponents of this ballot believe that this proposed modification to the
Baseline Requirements, which gives CAs up to six months to update their CP
and/or CPS to state the degree to which they implement CAA, provides all CAs
with the flexibility needed to begin implementation of CAA. 

---MOTION BEGINS--- 

Add to Section 4 Definitions, new item: 

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844
<http://tools.ietf.org/html/rfc6844> ): "The Certification Authority
Authorization (CAA) DNS Resource Record allows a DNS domain name holder to
specify the Certification Authorities (CAs) authorized to issue certificates
for that domain. Publication of CAA Resource Records allows a public
Certification Authority to implement additional controls to reduce the risk
of unintended certificate mis-issue." 

Add a new sentence to the end of Section 8.2.2, Disclosure, as follows: 

Effective as of [insert date that is six months from Ballot 125 adoption],
section 4.4.2 of a CA's Certificate Policy and/or Certification Practice
Statement (subsection 4.1 for CA's still conforming to RFC 2527) shall
disclose the CA's policy and/or practices on processing CAA records. 

The resulting Section 8.2.2 would read as follows:

The CA SHALL publicly disclose its Certificate Policy and/or Certification
Practice Statement through an appropriate and readily accessible online
means that is available on a 24x7 basis. The CA SHALL publicly disclose its
CA business practices to the extent required by the CA's selected audit
scheme (see Section 17.1). The disclosures MUST include all the material
required by RFC 2527 or RFC 3647, and MUST be structured in accordance with
either RFC 2527 or RFC 3647.  Effective as of [insert date that is six
months from Ballot 125 adoption], section 4.4.2 of a CA's Certificate Policy
and/or Certification Practice Statement (subsection 4.1 for CA's still
conforming to RFC 2527) shall disclose the CA's policy and/or practices on
processing CAA records.

---MOTION ENDS---

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140626/f0ba8402/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140626/f0ba8402/attachment.p7s>


More information about the Public mailing list