[cabfpub] Revisiting CAA

Phillip Hallam-Baker philliph at comodo.com
Fri May 2 10:48:32 MST 2014

That is a rather strange test to apply given that we have so few cases of misissue reported.

It would have done nothing in the 2001 VeriSign incident because VeriSign was authorized to issue for Microsoft. At the time I first 
proposed CAA, that was the only public incident.

Apart from that, deployment of CAA would have forced manual processing of requests in the Comodo and DigiNotar incidents if it had 
been deployed. So the answer to your question would be 'almost all'.

But given the low incidence of mis-issue, I would instead ask if CAA addresses any of the criticisms that has ben raised against the 
WebPKI. It very clearly addresses the 'too many CAs' complaint.

I don't believe in reactive security. I try to fix problems before they occur.

-----Original Message----- 
From: kirk_hall at trendmicro.com
Sent: Friday, May 02, 2014 11:40 AM
To: Gervase Markham ; Rick Andrews ; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

Can anyone identify one case -- even one -- of mis-issuance of a certificate by a CA that would have been prevented by CAA?  (I 
can't think of one.)

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Friday, May 02, 2014 2:07 AM
To: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

On 01/05/14 23:26, Rick Andrews wrote:
> I’m attaching Phillip’s original proposal for CAA and Jeremy’s
> suggestion for enhancement. Here’s my proposal.

I think the proposal is good, although the scare quotes around "procedure" are unnecessarily perjorative. If our plan is not to 
mandate that CAs explicitly honour CAA, then we should not seem to sneer at those who don't. So we should remove the words 
"(although not desirable)" too. Let's not try and have it both ways.

Public mailing list
Public at cabforum.org

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
Public mailing list
Public at cabforum.org

More information about the Public mailing list