[cabfpub] Ballot 125 - CAA

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Sep 25 15:56:10 MST 2014


Well, maybe make the sentence a bit more neutral, like “The CA SHALL log all actions taken, if any, consistent with its processing practice.”  “Ignores” is a loaded word – there may be a malformed CAA record, for example, which the CA can’t read.  The point is “Say what you do, and then do what you say.”

From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Friday, September 26, 2014 1:54 AM
To: Kirk Hall (RD-US); Ben Wilson
Cc: CABFPub
Subject: RE: Ballot 125 - CAA

Kirk, I can accept even  your simplified second sentence, as long as it’s clear to everyone that CAs that don’t check CAA don’t have to maintain any records. Is that clear, or should we say “Unless the CA ignores CAA records, it SHALL maintain a record of its actions demonstrating compliance with its stated policy.”

-Rick

From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com]
Sent: Wednesday, September 17, 2014 10:59 PM
To: Ben Wilson; Rick Andrews
Cc: CABFPub
Subject: RE: Ballot 125 - CAA

The language requires disclosure of two things: (1) what the CAA does to respond to CAA records, and (2) a statement that the CA logs its actions (consistent with its stated policy).

Wouldn’t it be better to turn (2) into an actual requirement, such as:

Effective as of [insert date that is six months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, (1) the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names.  , and (2) that the CA logs The CA SHALL log all actions consistent with its processing practice.

I would actually prefer something a little simpler for the second sentence, such as “The CA SHALL maintain a record of its actions demonstrating compliance with its stated policy.”

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, September 18, 2014 11:50 AM
To: Rick Andrews (Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>)
Cc: CABFPub
Subject: [cabfpub] Ballot 125 - CAA

Rick,

Here is some draft language to add to the end of Section 8.2.2 of the Baseline Requirements.

Effective as of [insert date that is six months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, (1) the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names, and (2) that the CA logs actions consistent with its processing practice.

My interpretation of this language is that CAs will be required to disclose their CAA-review practices and if they do review CAA records, that they also state in their CP or CPS:  (1) what those practices are, and (2) that they document their actions.  Is this clear to everyone else with the proposed language?  Does anyone feel that it would be difficult to monitor or audit compliance with this requirement?

Thanks,

Ben



TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140925/7dbfefe1/attachment.html 


More information about the Public mailing list