[cabfpub] Ballot 125 - CAA Records
y-iida at secom.co.jp
y-iida at secom.co.jp
Thu Oct 9 19:22:48 MST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SECOM Trust Systems votes ``YES''.
- --
iida
>Ballot 125 - CAA Records
>
>Rick Andrews of Symantec made the following motion and Jeremy Rowley of
>Digicert and Ryan Sleevi of Google have endorsed it:
>
>Reasons for proposed ballot RFC 6844 defines a Certification Authority
>Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name
>holder to specify the CAs authorized to issue certificates for that
>domain. Publication of the CAA gives CAs and domain holders additional
>controls to reduce the risk of unintended certificate mis-issuance.
>
>The proponents of this ballot believe that this proposed modification to
>the Baseline Requirements, which gives CAs up to six months to update
>their CP and/or CPS to state the degree to which they implement CAA,
>provides all CAs with the flexibility needed to begin implementation of
>CAA.
>
>---MOTION BEGINS---
>
>Add to Section 4 Definitions, new item:
>
>CAA: From RFC 6844
>(http:tools.ietf.org/html/rfc6844<http://tools.ietf.org/html/rfc6844>):
>"The Certification Authority Authorization (CAA) DNS Resource Record
>allows a DNS domain name holder to specify the Certification Authorities
>(CAs) authorized to issue certificates for that domain. Publication of CAA
>Resource Records allows a public Certification Authority to implement
>additional controls to reduce the risk of unintended certificate
>mis-issue."
>
>Add the following to the end of Section 8.2.2, Disclosure:
>
>Effective as of [insert date that is six months from Ballot 125 adoption],
>section 4.2 of a CA's Certificate Policy and/or Certification Practice
>Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state
>whether the CA reviews CAA Records, and if so, the CA's policy or practice
>on processing CAA Records for Fully Qualified Domain Names. The CA SHALL
>log all actions taken, if any, consistent with its processing practice.
>
>The resulting Section 8.2.2 would read as follows:
>
>The CA SHALL publicly disclose its Certificate Policy and/or Certification
>Practice Statement through an appropriate and readily accessible online
>means that is available on a 24x7 basis. The CA SHALL publicly disclose
>its CA business practices to the extent required by the CA's selected
>audit scheme (see Section 17.1). The disclosures MUST include all the
>material required by RFC 2527 or RFC 3647, and MUST be structured in
>accordance with either RFC 2527 or RFC 3647. Effective as of [insert date
>that is six months from Ballot 125 adoption], section 4.2 of a CA's
>Certificate Policy and/or Certification Practice Statement (section 4.1
>for CAs still conforming to RFC 2527) SHALL state whether the CA reviews
>CAA Records, and if so, the CA's policy or practice on processing CAA
>Records for Fully Qualified Domain Names. The CA SHALL log all actions
>taken, if any, consistent with its processing practice.
>
>---MOTION ENDS---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUN0LRYYPdCnCyRyoRAix0AJ9E70eUJb5HmuixOi3DEKwRtGsI7ACeJH+c
v1rhqmCkdii/HQQW8d6P3VE=
=fVaw
-----END PGP SIGNATURE-----
More information about the Public
mailing list