[cabfpub] Revisiting CAA

Wayne Thayer wthayer at godaddy.com
Sat May 3 00:40:55 UTC 2014 

Rick – I think it would be helpful to add an effective date so it’s clear how long CAs have to update their CPS once this is passed.

Thanks,

Wayne

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Friday, May 02, 2014 5:36 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

OK, taking into consideration feedback from Ryan S and Gerv, the current proposal is below. Ben, can you assign a ballot number to it? If I don’t see any other comments for a few days, I’ll submit a formal ballot.

Add to Section 4 Definitions, new item:

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”

Add to Section 7.1.2 Certificate Warranties, new item:

        9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) listed in the Certificate’s subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement. It is permissible for the CA to ignore CAA records completely, as long as that procedure is documented in the CA’s Certificate Policy and/or Certification Practice Statement. If the CA’s Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.

-Rick


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140503/d46034a9/attachment-0003.html>

More information about the Public mailing list