[cabfpub] Draft CAA motion

Peter Bowen pzb at amzn.com
Wed Nov 9 10:34:58 MST 2016 

Ryan,

I presume Google has internal controls in place that cover who can sign contracts and under what circumstances.  I am inclined to side with Bruce on this one — a signed contract should be prima facie evidence of authorized issuance when the domain registrant is the signer.

I think we should add clear notification requirements and domain registrant rights to the BRs, but I think allowing contract signature is a reasonable mitigation.  Maybe we tie validation in this case to the EV guidelines — that is the CA must follow the EV guidelines to confirm the contract?  Maybe also require CT logging of the CA certificate prior to issuing end-entity certificates and possibly require a waiting period before issuing EE certs?

The objective we all have here is to do the right thing for customers.  Browsers (including Chrome) roll things out gradually and have rollback options.  Can we have that here, have a way to require CAA checking but have a “rollback” option in the form of contracts with public notification when such rollback action is being taken?

Thanks,
Peter


> On Nov 9, 2016, at 9:04 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> Bruce,
> 
> What would prevent a random person in Google Marketing from executing a contract with Entrust? How would Entrust determine that person is or is not authorized? How would that be normalized across the industry? How would Google signal to Entrust that such a person was not authorized to sign contracts on Google's behalf?
> 
> These are all things for which your reply is, ultimately, based on how Entrust does its business, and other CAs may differ in practices or rigor - which is why it is very much the realm of CA policy in how it executes such agreements, and subscribers have no way to prevent CAs from being fooled or signalling that they're making a mistake.
> 
> On Wed, Nov 9, 2016 at 8:25 AM, Bruce Morton via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> This doesn't make CAA in the realm of CA policy. This puts certificate issuance in the realm of certificate Subscriber policy, which I think we all respect through our BR and EV documents.
> 
> Bruce.
> 
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>] On Behalf Of Gervase Markham via Public
> Sent: Wednesday, November 9, 2016 10:12 AM
> To: Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
> Cc: Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org>>
> Subject: Re: [cabfpub] Draft CAA motion
> 
> 
> I'm sorry, but that moves CAA from the realm of enforced site policy to the realm of CA policy, which defeats much of the point. We have discussed this recently on this list, I believe.
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161109/6b8f7df2/attachment.html>

More information about the Public mailing list