[cabfpub] Revisiting CAA
Wayne Thayer
wthayer at godaddy.com
Fri May 2 17:48:16 MST 2014
I agree that this is how it works, but simply adding an effective date makes it less ambiguous.
From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Friday, May 02, 2014 5:45 PM
To: Ryan Sleevi; Wayne Thayer
Cc: public at cabforum.org
Subject: RE: [cabfpub] Revisiting CAA
I agree. It seems like we agreed that the effective date is when this ballot passes, gets put into a revision of the BRs, and then that revision gets worked into version x of WebTrust and ETSI, and then at least one browser says by this date all CAs must have a WebTrust or ETSI version x audit. I don’t like it, but I think we’ve convinced ourselves that there’s no alternative.
-Rick
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, May 02, 2014 5:43 PM
To: Wayne Thayer
Cc: Rick Andrews; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Revisiting CAA
Wayne,
As has been discussed many times, isn't it largely up to the Browser Programs / Auditors to define what "effective date" means?
The next time you're audited to a version based on these BRs, your CP/CPS needs to cover it.
On Fri, May 2, 2014 at 5:40 PM, Wayne Thayer <wthayer at godaddy.com<mailto:wthayer at godaddy.com>> wrote:
Rick – I think it would be helpful to add an effective date so it’s clear how long CAs have to update their CPS once this is passed.
Thanks,
Wayne
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Rick Andrews
Sent: Friday, May 02, 2014 5:36 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Revisiting CAA
OK, taking into consideration feedback from Ryan S and Gerv, the current proposal is below. Ben, can you assign a ballot number to it? If I don’t see any other comments for a few days, I’ll submit a formal ballot.
Add to Section 4 Definitions, new item:
CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844<http://tools.ietf.org/html/rfc6844>): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”
Add to Section 7.1.2 Certificate Warranties, new item:
9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) listed in the Certificate’s subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement. It is permissible for the CA to ignore CAA records completely, as long as that procedure is documented in the CA’s Certificate Policy and/or Certification Practice Statement. If the CA’s Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.
-Rick
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140503/6ef86af0/attachment.html
More information about the Public
mailing list