[cabfpub] Pre-Ballot 125 - CAA Records

Rob Stradling rob.stradling at comodo.com
Fri Jun 27 20:38:14 UTC 2014 

On 27/06/14 18:59, Stephen Davidson wrote:
<snip>
> 4.            Other tags in CAA are reserved:  “path” allows you to post
> a digest for a specific CA root, and “policy” allows you to specify the
> OID of your chosen cert type.  The tag “auth” does not appear to be
> defined.  Are we saying that these too are to be adopted now?

"path" and "policy" were in the early CAA drafts, but the PKIX WG made 
us take them out.  They're marked as reserved (so that we can't 
repurpose them for something different in the future) because it's 
possible that somebody somewhere has running code based on the early drafts.

"auth" was not defined in any CAA draft.  Google used it for a while for 
some experimental code in Chrome.

> Regards, Stephen
>
> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Ben Wilson
> *Sent:* Friday, June 27, 2014 1:14 PM
> *To:* 'Rick Andrews'; 'cabfpub'
> *Subject:* [cabfpub] Pre-Ballot 125 - CAA Records
>
> Rick,
>
> Here are the alternative provisions for you to look at and choose from.
>
> Ben
>
> *Pre-Ballot 125 - CAA Records*
>
> Rick Andrews of Symantec made the following motion and Jeremy Rowley of
> Digicert and Ryan Sleevi of Google have endorsed it:
>
> *Reasons for proposed ballot* RFC 6844 defines a Certification Authority
> Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name
> holder to specify the CAs authorized to issue certificates for that
> domain. Publication of the CAA allows a public Certification Authority
> to implement additional controls to reduce the risk of unintended
> certificate mis-issuance.
>
> The proponents of this ballot believe that this proposed modification to
> the Baseline Requirements, which gives CAs up to six months to update
> their CP and/or CPS to state the degree to which they implement CAA,
> provides all CAs with the flexibility needed to begin implementation of
> CAA.
>
> *---MOTION BEGINS---*
>
> *Add to Section 4 Definitions, new item:*
>
> *CAA:* From RFC 6844 (http:tools.ietf.org/html/rfc6844
> <http://tools.ietf.org/html/rfc6844>): “The Certification Authority
> Authorization (CAA) DNS Resource Record allows a DNS domain name holder
> to specify the Certification Authorities (CAs) authorized to issue
> certificates for that domain. Publication of CAA Resource Records allows
> a public Certification Authority to implement additional controls to
> reduce the risk of unintended certificate mis-issue.”
>
> *Amend subparagraph 2 of 7.1.2 to read as follows: *
>
>   2.  Authorization for Certificate:  That, at the time of issuance, the
> CA (i) implemented procedures for verifying that the Subject authorized
> the issuance of the Certificate, _including procedures to (a) consider
> the CAA record of each Domain Name to be listed in the Certificate’s
> subject field or subjectAltName extension,_ and _(b) to establish_ that
> the Applicant Representative is authorized to request the Certificate on
> behalf of the Subject; (ii) followed the procedures when issuing the
> Certificate; and (iii) accurately described the procedure_s_ in the CA’s
> Certificate Policy and/or Certification Practices Statement;
>
> *Add a new section 7.1.3 CAA Disclosure as follows:*
>
> Effective as of [insert date that is six months from Ballot 125
> adoption], Section 4.2 of the CA’s Certificate Policy or Certification
> Practice Statement SHALL set forth the CA’s policy regarding its
> procedures for considering CAA records for Domain Names to be listed in
> the Certificate’s subject field or subjectAltName extension.
>
> *Add a new sentence to the end of Section 8.2.2, Disclosure, as follows:*
>
> Effective as of [insert date that is six months from Ballot 125
> adoption], section 4.2 of a CA's Certificate Policy and/or Certification
> Practice shall disclose the CA's policy and/or practices on processing
> CAA records.
>
> *The resulting Section 8.2.2 would read as follows:*
>
> The CA SHALL publicly disclose its Certificate Policy and/or
> Certification Practice Statement through an appropriate and readily
> accessible online means that is available on a 24x7 basis. The CA SHALL
> publicly disclose its CA business practices to the extent required by
> the CA’s selected audit scheme (see Section 17.1). The disclosures MUST
> include all the material required by RFC 2527 or RFC 3647, and MUST be
> structured in accordance with either RFC 2527 or RFC 3647. _Effective as
> of [insert date that is six months from Ballot 125 adoption], section
> 4.2 of a CA's Certificate Policy and/or Certification Practice Statement
> shall disclose the CA's policy and/or practices on processing CAA records._
>
> *---MOTION ENDS---*
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list