[cabfpub] Revisiting CAA

Ryan Sleevi sleevi at google.com
Sat May 3 00:42:51 UTC 2014


Wayne,

As has been discussed many times, isn't it largely up to the Browser
Programs / Auditors to define what "effective date" means?

The next time you're audited to a version based on these BRs, your CP/CPS
needs to cover it.


On Fri, May 2, 2014 at 5:40 PM, Wayne Thayer <wthayer at godaddy.com> wrote:

>  Rick – I think it would be helpful to add an effective date so it’s
> clear how long CAs have to update their CPS once this is passed.
>
>
>
> Thanks,
>
>
>
> Wayne
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Rick Andrews
> *Sent:* Friday, May 02, 2014 5:36 PM
> *To:* public at cabforum.org
>
> *Subject:* Re: [cabfpub] Revisiting CAA
>
>
>
> OK, taking into consideration feedback from Ryan S and Gerv, the current
> proposal is below. Ben, can you assign a ballot number to it? If I don’t
> see any other comments for a few days, I’ll submit a formal ballot.
>
>
>
> Add to Section 4 Definitions, new item:
>
>
>
> CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844): “The Certification
> Authority Authorization (CAA) DNS Resource Record allows a DNS domain name
> holder to specify the Certification Authorities (CAs) authorized to issue
> certificates for that domain. Publication of CAA Resource Records allows a
> public Certification Authority to implement additional controls to reduce
> the risk of unintended certificate mis-issue.”
>
>
>
> Add to Section 7.1.2 Certificate Warranties, new item:
>
>
>
>         9. CAA: That, at the time of issuance, the CA (i) implemented a
> procedure for consideration of CAA records for each Domain Name(s) listed
> in the Certificate’s subject field and subjectAltName extension; (ii)
> followed the procedure when issuing the Certificate; and (iii) accurately
> described the procedure in the CA’s Certificate Policy and/or Certification
> Practice Statement. It is permissible for the CA to ignore CAA records
> completely, as long as that procedure is documented in the CA’s Certificate
> Policy and/or Certification Practice Statement. If the CA’s Certificate
> Policy and/or Certification Practice Statement is based on RFC 3647, the
> statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2.
> Certificate Application Processing.
>
>
>
> -Rick
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140502/a0ade65b/attachment-0003.html>


More information about the Public mailing list