[cabfpub] Draft CAA motion

Gervase Markham gerv at mozilla.org
Wed Nov 9 09:35:20 UTC 2016

On 08/11/16 22:43, Jacob Hoffman-Andrews via Public wrote:
> This is somewhat over-determined. I think all we care about is that the
> CAA check happens withing time X before issuance, not the order of the
> check relative to other validation. For instance, CAs may choose to do
> the CAA check concurrently with other validation if they expect to issue
> within the time limit.

Yes, OK.

>> for all domains in the certificate
> Editorially: I think this should say "for each dNSName in the
> subjectAltName extension of the certificate to be issued."


>> the domain does not use DNSSEC.
> This is surprisingly difficult to check. If the CA is operating an
> off-the-shelf recursive resolver configured to validate DNSSEC, that
> resolver will return SERVFAIL for invalid DNSSEC records. A SERVFAIL
> response can also mean either a failure inside the infrastructure or
> outside. I think if we want to include this exception for lookup
> failure, we'll need to be more specific about ways to implement it, or
> it will certainly be implemented incorrectly.

I would welcome improved text :-)

>> If the CA issues, they must do so within 10 minutes of the check passing.
> Should we distinguish precert issuance here? If not, we could wind up
> with the strange situation of doing a CAA check, signing a precert,
> finding that it takes 10+ minutes to submit to enough CT logs, then
> being required to re-check CAA before final issuance. This may not seem
> like a big burden, but it's possible for the CAA results to change in
> that time.

Issuing a precert is equivalent to issuing a cert. So I wonder if we
might instead say that CAA only needs checking for the precert?


More information about the Public mailing list