[cabfpub] Revisiting CAA

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sat May 3 00:51:08 UTC 2014

In all the state and federal legislatures, there usually a standard effective date for new laws (in Oregon, it’s January 1 of the next year, which is usually six months after the legislature adjourns), UNLESS the legislature adds an “emergency clause” with an earlier effective date.

I think we should do the same – have a standard period of some (whole) months for a change to take effect, unless the ballot specifies an earlier date.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Friday, May 02, 2014 5:48 PM
To: Rick Andrews; Ryan Sleevi
Cc: public at cabforum.org
Subject: Re: [cabfpub] Revisiting CAA

I agree that this is how it works, but simply adding an effective date makes it less ambiguous.

From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Friday, May 02, 2014 5:45 PM
To: Ryan Sleevi; Wayne Thayer
Cc: public at cabforum.org
Subject: RE: [cabfpub] Revisiting CAA

I agree. It seems like we agreed that the effective date is when this ballot passes, gets put into a revision of the BRs, and then that revision gets worked into version x of WebTrust and ETSI, and then at least one browser says by this date all CAs must have a WebTrust or ETSI version x audit. I don’t like it, but I think we’ve convinced ourselves that there’s no alternative.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, May 02, 2014 5:43 PM
To: Wayne Thayer
Cc: Rick Andrews; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Revisiting CAA


As has been discussed many times, isn't it largely up to the Browser Programs / Auditors to define what "effective date" means?

The next time you're audited to a version based on these BRs, your CP/CPS needs to cover it.

On Fri, May 2, 2014 at 5:40 PM, Wayne Thayer <wthayer at godaddy.com<mailto:wthayer at godaddy.com>> wrote:
Rick – I think it would be helpful to add an effective date so it’s clear how long CAs have to update their CPS once this is passed.



From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Rick Andrews
Sent: Friday, May 02, 2014 5:36 PM
To: public at cabforum.org<mailto:public at cabforum.org>

Subject: Re: [cabfpub] Revisiting CAA

OK, taking into consideration feedback from Ryan S and Gerv, the current proposal is below. Ben, can you assign a ballot number to it? If I don’t see any other comments for a few days, I’ll submit a formal ballot.

Add to Section 4 Definitions, new item:

CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844<http://tools.ietf.org/html/rfc6844>): “The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.”

Add to Section 7.1.2 Certificate Warranties, new item:

        9. CAA: That, at the time of issuance, the CA (i) implemented a procedure for consideration of CAA records for each Domain Name(s) listed in the Certificate’s subject field and subjectAltName extension; (ii) followed the procedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/or Certification Practice Statement. It is permissible for the CA to ignore CAA records completely, as long as that procedure is documented in the CA’s Certificate Policy and/or Certification Practice Statement. If the CA’s Certificate Policy and/or Certification Practice Statement is based on RFC 3647, the statement describing the CA’s CAA procedure SHOULD appear in Section 4.4.2. Certificate Application Processing.


Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140503/a67f2b04/attachment-0003.html>

More information about the Public mailing list