[cabfpub] Draft CAA motion (2)

Gervase Markham gerv at mozilla.org
Fri Nov 11 11:11:25 UTC 2016

Hi Jody,

On 10/11/16 17:52, Jody Cloutier wrote:
> Microsoft is in a unique position because we are both a browser and a
> CA. Microsoft continues to believe that any requirement to check CAA for
> domains that it already owns is unnecessary process, and we cannot
> support a ballot like this unless it carves out an exception for issuing
> certificates on domains that the CA owns through an Affiliate
> relationship.  For example, Microsoft obviously owns Microsoft.com. If
> it were to issue a TLS certificate for outlook.microsoft.com, having to
> check CAA would be unnecessary overhead. We need a carveout for this
> type of scenario.

It is not simpler to build an issuance system that always checks CAA
than one which checks it sometimes? It's also more secure - if the CAA
check can be bypassed, there's an increased risk because it could be
inappropriately bypassed.

Are you concerned the MS DNS admins are going to add a CAA record for
outlook.microsoft.com which forbids Microsoft from issuing? Surely it
can't be doing the check itself which is overhead - it's a single DNS
request, something online systems do billions of times a day.


More information about the Public mailing list