[cabfpub] Draft CAA motion (2)

[Gervase Markham]

Hi Doug,

On 14/11/16 21:09, Doug Beattie wrote:
> We're getting closer - is the only remaining discussion topic for
> allowing CAs to skip CAA "at time of  issuance" in certain cases when
> certain criteria are met?

So, having considered it, I will add an additional bullet to the list of
permitted exceptions:

* the domain's DNS is operated by the CA or an Affiliate

Today it is true that you shouldn't host your DNS with your CA unless
you're OK with that CA issuing certificates for you (see recent
discussion about Cloudflare in m.d.s.policy), and that's not going to
change, so I am comfortable with this exception. There is no point in
one part of a CA asking another part for permission. This should solve
Jody's problem, I hope, although it might not solve yours and Steve's,
unless you want to get into the DNS hosting business.

So we now need to talk about the idea of a contractual opt-out for CAA
checking, with an OID in the cert to indicate that this is what has
happened. My concern is that because most CAs have some sort of
contract, often click-through, with those who buy their certs, what's to
prevent them all sticking a "no need for CAA" clause into it, and then
not bothering to implement CAA at all?

Also, what if the contract is executed not with the domain holder, but
with an attacker? How can a domain holder prevent that happening?

I'm fairly sure CAs would not like the browsers or the BRs to start
making regulations about the strength of contracts they must have, or
the level of awareness by the contracting party they must prove exists.

I'd also be concerned that putting requirements on the type of contract
that must exist would be tantamount to saying "CAs with business model X
don't have to do this check, but CAs with business model Y do".

Gerv