[cabfpub] Pre-Ballot 125 - CAA Records

Ben Wilson ben.wilson at digicert.com
Wed Sep 3 08:21:46 MST 2014


Rick and Stephen, 

Are these suggested changes still in line with what you’re willing to accept?

Thanks,

Ben

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, September 2, 2014 6:10 PM
To: Ben Wilson
Cc: Sigbjørn Vik; Rick Andrews; Geoff Keating; Stephen Davidson; cabfpub
Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records

 

 

 

On Fri, Aug 29, 2014 at 2:02 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

Picking up where we left off .. attached is the redlined version that I
think is closest to where we were on this issue:

1.  In Section 4 of the Baseline Requirements, add a definition for CAA
Record as follows:

CAA Record: The Certification Authority Authorization (CAA) DNS Resource
Record of RFC 6844
(http:tools.ietf.org/html/rfc6844) that allows a DNS domain name holder to
specify the Certification Authorities
(CAs) authorized to issue certificates for that domain. Publication of a CAA
Resource Record allows public
Certification Authorities to implement additional controls to reduce the
risk of unintended certificate mis-issue.

 

Reads like you're saying CA's publishing CAA records benefits them

 

"Publication of a CAA Resource Record allows Domain Name Registrant to request that Certification Authorities implement additional controls to reduce the risk of unintended certificate mis-issue"

 


We might want to abbreviate this definition a bit.

2.  In Section 8.2.2 (instead of editing warranties in section 7.1.2 or
verification practices in section 11, as some have suggested) add the
following to the end of the paragraph on Disclosure:

Effective as of [insert date that is six months from Ballot 125 adoption],
section 4.2 of a CA's Certificate Policy and/or Certification Practice
Statement (section 4.1 for CA’s still conforming to RFC 2527) shall
disclose: (1) whether the CA reviews CAA Records, and if so, (2) the CA’s
policy or practice on processing CAA Records and comparing them with
proposed Domain Names for the Common Name field or Subject Alternative Name
fields of certificates applications, and (3) any actions taken as result of
such comparison.

Any comments or suggestions are welcome.

 

(2) the CA's policy or practice on processing CAA Records for each Fully-Qualified Domain Name listed in a certificate, and (3) any actions taken as a result of such a comparison.

 

The goal of word-smithing (2) is to match the language in 11.1.1, which is better than trying to enumerate 9.2.1 / 9.2.2 (9.2.2 already has a MUST that it must have appeared in 9.2.1, so this is redundant anyways)

 

Of course, you could just reference 9.2.1 directly (e.g. drop the common name requirement), since any value in 9.2.2 is required to be in 9.2.1 as well.

 


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On

Behalf Of Sigbjørn Vik
Sent: Tuesday, July 22, 2014 12:47 AM
To: Rick Andrews; Geoff Keating; Stephen Davidson
Cc: cabfpub
Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records

On 21-Jul-14 20:11, Rick Andrews wrote:
> Siggy, how does the addition of a CAA record make DoS or DNS amplification
attacks more problematic?

I am no DNS expert, merely relaying comments from our sysadmin. If people
with more knowledge in the field conclude that this is not an issue, that is
fine with me, but it should be considered.

> -----Original Message-----
> From: Sigbjørn Vik [mailto:sigbjorn at opera.com]
> Sent: Monday, July 21, 2014 12:21 AM
> To: Rick Andrews; Geoff Keating; Stephen Davidson
> Cc: cabfpub
> Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records
>
> On 17-Jul-14 23:51, Rick Andrews wrote:> Siggy,
>>
>> There are a number of Security Considerations in Section 6 of the CAA
>> RFC (_http://tools.ietf.org/html/rfc6844#page-13_) which detail
>> possible abuse.
>
> I don't see DoS or DNS amplification listed there.
>
> --
> Sigbjørn Vik
> Opera Software
>


--
Sigbjørn Vik
Opera Software
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140903/a1b87e5c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140903/a1b87e5c/attachment-0001.bin 


More information about the Public mailing list