[cabfpub] Revisiting CAA
wthayer at godaddy.com
Sat May 3 00:40:55 UTC 2014
Rick – I think it would be helpful to add an effective date so it’s clear how long CAs have to update their CPS once this is passed.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Friday, May 02, 2014 5:36 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA
OK, taking into consideration feedback from Ryan S and Gerv, the current proposal is below. Ben, can you assign a ballot number to it? If I don’t see any other comments for a few days, I’ll submit a formal ballot.
Add to Section 4 Definitions, new item:
CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”
Add to Section 7.1.2 Certificate Warranties, new item:
9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) listed in the Certificate’s subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement. It is permissible for the CA to ignore CAA records completely, as long as that procedure is documented in the CA’s Certificate Policy and/or Certification Practice Statement. If the CA’s Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public