[cabfpub] Ballot 125 - CAA Records

Ryan Sleevi sleevi at google.com
Fri Oct 31 05:15:52 MST 2014


On Oct 31, 2014 4:46 AM, "Doug Beattie" <doug.beattie at globalsign.com> wrote:
>
> I’m starting to look at making updates to the CPS to support this ballot
and wonder if the wrong section was specified in the ballot.  Is Section
4.2 where this belongs, or is section 3.2 the right place?
>
>
>
> Section 4.2 contains high level statements and no real detail, and 4.2
generally refers back to 3.2 for the specifics:
>
>
>
> 4.2. Certificate application processing
>
> 4.2.1. Performing Identification and Authentication Functions
>
> 4.2.2. Approval or Rejection of Certificate Applications
>
> 4.2.3. Time to Process Certificate Applications
>
>
>
> Since CAA only applies to some types of certificates, and the details of
domain and Organization Identity for each type of cert are listed in 3.2,
it would make more sense (to me) to include the steps CAs use when
processing CAA records as part of the Domain Control, Ownership or “right
to use” processes that are described in section 3.2.
>

I'm not sure I understand your remark regarding "some types of
certificates" - it would certainly apply to every cert intended for server
authenticated TLS.

>
>
> Doug
>
>
>
>
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
> Sent: Tuesday, September 30, 2014 11:01 AM
> To: CABFPub
> Subject: [cabfpub] Ballot 125 - CAA Records
>
>
>
> Ballot 125 - CAA Records
>
> Rick Andrews of Symantec made the following motion and Jeremy Rowley of
Digicert and Ryan Sleevi of Google have endorsed it:
>
> Reasons for proposed ballot RFC 6844 defines a Certification Authority
Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name
holder to specify the CAs authorized to issue certificates for that domain.
Publication of the CAA gives CAs and domain holders additional controls to
reduce the risk of unintended certificate mis-issuance.
>
> The proponents of this ballot believe that this proposed modification to
the Baseline Requirements, which gives CAs up to six months to update their
CP and/or CPS to state the degree to which they implement CAA, provides all
CAs with the flexibility needed to begin implementation of CAA.
>
> ---MOTION BEGINS---
>
> Add to Section 4 Definitions, new item:
>
> CAA: From RFC 6844 (http:tools.ietf.org/html/rfc6844): “The Certification
Authority Authorization (CAA) DNS Resource Record allows a DNS domain name
holder to specify the Certification Authorities (CAs) authorized to issue
certificates for that domain. Publication of CAA Resource Records allows a
public Certification Authority to implement additional controls to reduce
the risk of unintended certificate mis-issue.”
>
> Add the following to the end of Section 8.2.2, Disclosure:
>
> Effective as of [insert date that is six months from Ballot 125
adoption], section 4.2 of a CA's Certificate Policy and/or Certification
Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL
state whether the CA reviews CAA Records, and if so, the CA’s policy or
practice on processing CAA Records for Fully Qualified Domain Names. The CA
SHALL log all actions taken, if any, consistent with its processing
practice.
>
> The resulting Section 8.2.2 would read as follows:
>
> The CA SHALL publicly disclose its Certificate Policy and/or
Certification Practice Statement through an appropriate and readily
accessible online means that is available on a 24x7 basis. The CA SHALL
publicly disclose its CA business practices to the extent required by the
CA’s selected audit scheme (see Section 17.1). The disclosures MUST include
all the material required by RFC 2527 or RFC 3647, and MUST be structured
in accordance with either RFC 2527 or RFC 3647. Effective as of [insert
date that is six months from Ballot 125 adoption], section 4.2 of a CA's
Certificate Policy and/or Certification Practice Statement (section 4.1 for
CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA
Records, and if so, the CA’s policy or practice on processing CAA Records
for Fully Qualified Domain Names. The CA SHALL log all actions taken, if
any, consistent with its processing practice.
>
> ---MOTION ENDS---
>
> The review period for this ballot shall commence at 2200 UTC on Tuesday,
30 September 2014, and will close at 2200 UTC on Tuesday, 7 October 2014.
Unless the motion is withdrawn during the review period, the voting period
will start immediately thereafter and will close at 2200 UTC on Tuesday, 14
October 2014. Votes must be cast by posting an on-list reply to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the
response. A vote against must indicate a clear 'no' in the response. A vote
to abstain must indicate a clear 'abstain' in the response. Unclear
responses will not be counted. The latest vote received from any
representative of a voting member before the close of the voting period
will be counted. Voting members are listed here:
https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes
cast by members in the CA category and greater than 50% of the votes cast
by members in the browser category must be in favor. Quorum is currently
seven (7) members– at least seven members must participate in the ballot,
either by voting in favor, voting against, or abstaining.
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141031/2f0aaa2f/attachment.html 


More information about the Public mailing list