[cabfpub] Draft CAA motion (2)

Gervase Markham gerv at mozilla.org
Fri Nov 11 11:21:11 UTC 2016

On 10/11/16 18:40, Steve Medin via Public wrote:
> I like your point about making a customer’s permission to bypass CAA for
> their service public, such as with name constraints. CAs can communicate
> customer-initiated CAA bypass with a dedicated CP OID in the end entity
> certs. Customer request passes through to browser visibility.

I'm not saying that isn't a small improvement, but... let's say FooCDN
is not a Symantec customer and has a CAA record to show this, and a cert
turns up for somename.foocdn.com issued by Symantec, with this OID in
it. The OID tells an annoyed foocdn.com that you didn't check CAA -
"well gee, thanks" they say. They ask you how and why you issued it, and
you say "well, BigFooCDNCustomer demonstrated domain control over
somename.foocdn.com last year, and so it's on our list of domains we can
issue cert for them for, without checking CAA". How would FooCDN react
to this explanation?

One of the things Google, Amazon and others have said several times
recently is that they'd like to use CAA to stop people who would
otherwise be able to prove domain control from getting certs.


More information about the Public mailing list