[cabfpub] Pre-Ballot 125 - CAA Records

Geoff Keating geoffk at apple.com
Sun Sep 7 23:42:19 UTC 2014

On 6 Sep 2014, at 7:42 pm, Ryan Sleevi <sleevi at google.com> wrote:

> On Sep 6, 2014 7:31 PM, "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com> wrote:
> > Several CAs (and at least one browser) have expressed concerns over the past year every time CAA was raised as a possible new requirement that it could be used improperly by some CAs in the manner I have outlined.  That is the chief impediment to broad support for CAA.  The proponents of CAA need to listen to the concerns of the companies it would most directly affect, and not ignore those concerns.   It needs to be addressed now, before the CA/Browser Forum is asked to give its imprimatur to CAA as a mandatory requirement – even as outlined in Pre-Ballot 125.  That is simple to do.
> That is not what this Ballot proposes, which is precisely why such concerns are unfounded.

I am not enthusiastic about adding a simple reporting requirement.  Wouldn't it be better to propose something which says how to really improve security, even if only as a recommendation?

And, if we're adding a recommendation (or even just a reporting requirement, since surely the aim of that is to encourage CAs to say they do support CAA), I think Kirk's suggestion is quite reasonable, in principle.  But I don't want to discourage CAs from telling their customers to create a CAA record, or even doing it for the customer, so long as those CAA records will be accurate.

So, how this:

- CAs SHOULD check the CAA record, but also

- CAs MUST NOT request or suggest that a customer include the CA’s name in a CAA record for a domain without also making clear that the customer needs to include all CAs that the owner of the domain intends to use for any hostname in the domain; and

- CAs MUST NOT act to create a CAA record that includes the CA’s name without also ensuring that the CAA record contains all CAs the owner of the domain intends to use.  For example, a CA who is also the customer's DNS and hosting operator and knows they will issue certificates for all the customer's DNS names, MAY add CAA record(s) containing only that CA, if otherwise permitted by their agreement with the customer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140907/66dda25f/attachment-0001.p7s>

More information about the Public mailing list