[cabfpub] Ballot 125 - CAA
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Thu Sep 18 05:58:46 UTC 2014
The language requires disclosure of two things: (1) what the CAA does to respond to CAA records, and (2) a statement that the CA logs its actions (consistent with its stated policy).
Wouldn't it be better to turn (2) into an actual requirement, such as:
Effective as of [insert date that is six months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, (1) the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names. , and (2) that the CA logs The CA SHALL log all actions consistent with its processing practice.
I would actually prefer something a little simpler for the second sentence, such as "The CA SHALL maintain a record of its actions demonstrating compliance with its stated policy."
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, September 18, 2014 11:50 AM
To: Rick Andrews (Rick_Andrews at symantec.com)
Cc: CABFPub
Subject: [cabfpub] Ballot 125 - CAA
Rick,
Here is some draft language to add to the end of Section 8.2.2 of the Baseline Requirements.
Effective as of [insert date that is six months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and if so, (1) the CA's policy or practice on processing CAA Records for Fully Qualified Domain Names, and (2) that the CA logs actions consistent with its processing practice.
My interpretation of this language is that CAs will be required to disclose their CAA-review practices and if they do review CAA records, that they also state in their CP or CPS: (1) what those practices are, and (2) that they document their actions. Is this clear to everyone else with the proposed language? Does anyone feel that it would be difficult to monitor or audit compliance with this requirement?
Thanks,
Ben
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140918/70018f57/attachment-0003.html>
More information about the Public
mailing list