[cabfpub] Revisiting CAA

Wayne Thayer wthayer at godaddy.com
Sat May 3 00:47:13 UTC 2014

Ryan – we are in the middle of an audit right now. We will have provided our CPS to our auditors by the time this passes, but the audit period will likely not be complete. That’s why I asked, and I think that simply setting a date a few months out makes it clearer for everyone involved.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, May 02, 2014 5:43 PM
To: Wayne Thayer
Cc: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA


As has been discussed many times, isn't it largely up to the Browser Programs / Auditors to define what "effective date" means?

The next time you're audited to a version based on these BRs, your CP/CPS needs to cover it.

On Fri, May 2, 2014 at 5:40 PM, Wayne Thayer <wthayer at godaddy.com<mailto:wthayer at godaddy.com>> wrote:
Rick – I think it would be helpful to add an effective date so it’s clear how long CAs have to update their CPS once this is passed.



From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Rick Andrews
Sent: Friday, May 02, 2014 5:36 PM
To: public at cabforum.org<mailto:public at cabforum.org>

Subject: Re: [cabfpub] Revisiting CAA

OK, taking into consideration feedback from Ryan S and Gerv, the current proposal is below. Ben, can you assign a ballot number to it? If I don’t see any other comments for a few days, I’ll submit a formal ballot.

Add to Section 4 Definitions, new item:

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844<http://tools.ietf.org/html/rfc6844>): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”

Add to Section 7.1.2 Certificate Warranties, new item:

        9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) listed in the Certificate’s subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement. It is permissible for the CA to ignore CAA records completely, as long as that procedure is documented in the CA’s Certificate Policy and/or Certification Practice Statement. If the CA’s Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.


Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140503/161bc170/attachment-0003.html>

More information about the Public mailing list