[cabfpub] Revisiting CAA

Rick Andrews Rick_Andrews at symantec.com
Thu May 1 22:26:20 UTC 2014

I'm attaching Phillip's original proposal for CAA and Jeremy's suggestion for enhancement. Here's my proposal.

Add to Section 4 Definitions, new item:

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844): "The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue."

Add to Section 7.1.2 Certificate Warranties, new item:

        9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) and IP address(es) listed in the Certificate's subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA's Certificate Policy and/or Certification Practice Statement. It is permissible (although not desirable) for the CA to ignore CAA records completely, as long as that "procedure" is documented in the CA's Certificate Policy and/or Certification Practice Statement. If the CA's Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA's CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.

(I defer to Tom and Ryan S on that last sentence. You read many more CPs and CPSs than I do.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140501/6aa34293/attachment-0002.html>
-------------- next part --------------
An embedded message was scrubbed...
From: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: Re: [cabfpub] CAA Proposal
Date: Fri, 7 Jun 2013 14:32:44 -0700
Size: 20086
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140501/6aa34293/attachment-0002.mht>

More information about the Public mailing list