[cabfpub] Revisiting CAA

Rick Andrews Rick_Andrews at symantec.com
Sat May 3 00:45:23 UTC 2014

I agree. It seems like we agreed that the effective date is when this ballot passes, gets put into a revision of the BRs, and then that revision gets worked into version x of WebTrust and ETSI, and then at least one browser says by this date all CAs must have a WebTrust or ETSI version x audit. I don’t like it, but I think we’ve convinced ourselves that there’s no alternative.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, May 02, 2014 5:43 PM
To: Wayne Thayer
Cc: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA


As has been discussed many times, isn't it largely up to the Browser Programs / Auditors to define what "effective date" means?

The next time you're audited to a version based on these BRs, your CP/CPS needs to cover it.

On Fri, May 2, 2014 at 5:40 PM, Wayne Thayer <wthayer at godaddy.com<mailto:wthayer at godaddy.com>> wrote:
Rick – I think it would be helpful to add an effective date so it’s clear how long CAs have to update their CPS once this is passed.



From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Rick Andrews
Sent: Friday, May 02, 2014 5:36 PM
To: public at cabforum.org<mailto:public at cabforum.org>

Subject: Re: [cabfpub] Revisiting CAA

OK, taking into consideration feedback from Ryan S and Gerv, the current proposal is below. Ben, can you assign a ballot number to it? If I don’t see any other comments for a few days, I’ll submit a formal ballot.

Add to Section 4 Definitions, new item:

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844<http://tools.ietf.org/html/rfc6844>): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”

Add to Section 7.1.2 Certificate Warranties, new item:

        9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) listed in the Certificate’s subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement. It is permissible for the CA to ignore CAA records completely, as long as that procedure is documented in the CA’s Certificate Policy and/or Certification Practice Statement. If the CA’s Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.


Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140502/2f02203e/attachment-0003.html>

More information about the Public mailing list