[cabfpub] Draft CAA motion

Jacob Hoffman-Andrews jsha at letsencrypt.org
Tue Nov 8 15:43:46 MST 2016


Thanks for writing this up, Gerv. For the most part, I think this is a
really good ballot.

> As part of the issuance process, after all other validation has been
completed. The CA must check for a CAA record

This is somewhat over-determined. I think all we care about is that the CAA
check happens withing time X before issuance, not the order of the check
relative to other validation. For instance, CAs may choose to do the CAA
check concurrently with other validation if they expect to issue within the
time limit.

Editorially: There's a full stop here where there should be a comma.

> for all domains in the certificate

Editorially: I think this should say "for each dNSName in the
subjectAltName extension of the certificate to be issued."

> the domain does not use DNSSEC.

This is surprisingly difficult to check. If the CA is operating an
off-the-shelf recursive resolver configured to validate DNSSEC, that
resolver will return SERVFAIL for invalid DNSSEC records. A SERVFAIL
response can also mean either a failure inside the infrastructure or
outside. I think if we want to include this exception for lookup failure,
we'll need to be more specific about ways to implement it, or it will
certainly be implemented incorrectly.

> If the CA issues, they must do so within 10 minutes of the check passing.

Should we distinguish precert issuance here? If not, we could wind up with
the strange situation of doing a CAA check, signing a precert, finding that
it takes 10+ minutes to submit to enough CT logs, then being required to
re-check CAA before final issuance. This may not seem like a big burden,
but it's possible for the CAA results to change in that time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161108/76d77b09/attachment.html>


More information about the Public mailing list