[cabfpub] Draft CAA motion (2)
jodycl at microsoft.com
Fri Nov 11 18:08:53 UTC 2016
In general, Microsoft wants to avoid unnecessary work. In this case, 99.9% of the certificates we issue are for our own domains. We do not want to have to check CAA for these because it's simply not necessary. It's not to say that we wouldn’t do the work to integrate with CAA because we would have to if we were to issue a certificate for some other domain. That said, I can't currently think of a situation that would require this, and that's why we want to be able to opt out for our own namespaces.
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Friday, November 11, 2016 3:11 AM
To: Jody Cloutier <jodycl at microsoft.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft CAA motion (2)
On 10/11/16 17:52, Jody Cloutier wrote:
> Microsoft is in a unique position because we are both a browser and a
> CA. Microsoft continues to believe that any requirement to check CAA
> for domains that it already owns is unnecessary process, and we cannot
> support a ballot like this unless it carves out an exception for
> issuing certificates on domains that the CA owns through an Affiliate
> relationship. For example, Microsoft obviously owns Microsoft.com. If
> it were to issue a TLS certificate for outlook.microsoft.com, having
> to check CAA would be unnecessary overhead. We need a carveout for
> this type of scenario.
It is not simpler to build an issuance system that always checks CAA than one which checks it sometimes? It's also more secure - if the CAA check can be bypassed, there's an increased risk because it could be inappropriately bypassed.
Are you concerned the MS DNS admins are going to add a CAA record for outlook.microsoft.com which forbids Microsoft from issuing? Surely it can't be doing the check itself which is overhead - it's a single DNS request, something online systems do billions of times a day.
More information about the Public