[cabfpub] Draft CAA motion (2)
gerv at mozilla.org
Thu Nov 17 14:36:51 UTC 2016
On 17/11/16 13:41, Doug Beattie wrote:
> We'd like to avoid a requirement to check every FQDN (and especially
> at the time of issuance) and check only a higher level FQDN (or
> Domain Name) on a "regular" basis by following an approved,
> documented process. This will help move failure cases earlier in the
> ordering/validation flow instead of right at time of issuance and
> also allow high volume issuance without needing to insert a CAA check
> into the issuance process.
Thank you for the rationale; that helps. In terms of the volume, I think
the work done earlier and reported on this list demonstrates that CAA
need not be a problem for high volume issuance. So I don't set much
store by that objection. In terms of the place in the flow, you can
check CAA as many times as you like in your flow.
> Example 1: Assume we issue a lot of certificates to
> serialnumber.us.example.com, I'd like to check us.example.com every
> few of days to cover this vs. every fqdn at the time of issuance. If
> that means a special CAA directive (no-check subdomain or something,
> what was this called?), then that's OK because we can work with the
> small number of customers that need this type of service. I'd like to
> avoid name constrained CAs, special extensions and complicated
> "contractual" requirements.
If all of the issuance is under a particular subdomain (us.example.com),
I would say that a name-constrained sub-CA is the right solution. You
don't say why you'd like to avoid them. As Peter Bowen has recently
pointed out (in m.d.s.policy, I think) it doesn't need to be a complex
process to make one under the current rules.
> I'm a bit concerned that not all DNS systems will allow the creation
> of CAA records, so the proposed solution above might need an
> alternative approach in those cases to allow high volume issuance.
> Rick reported on DNS capabilities a while ago, but I don’t know what
> the current status is.
I believe this is true, and that's one reason why the no-check-subdomain
idea is sub-optimal. As you will recall from reading the threads, we
considered that but rejected it because it turned out the problem it
purported to solve (high volume issuance) was not a problem at all.
> Example 2: Retail/reseller ordering process: Check CAA for the
> FQDN(s) when the order data is collected and be able to use that for
> up to 5 days. If it takes more than 5 days to complete the vetting
> process, then it needs to be checked again prior to issuance.
Why 5 days? This example above seems like the normal case. If you want
to check at order time to make sure there won't be a problem later,
that's fine. You just need to check again at issuance time, or within 1
hour, or within the TTL. A CAA check is very cheap indeed.
> Example 3: Enterprise account: I'd like to propose less restrictive
> checks on enterprise accounts when domain ownership or control is
> performed when the domain is added to the enterprise account, but I
> don’t think anything I would propose here would be accepted. I'll
> try anyway: If domain ownership is verified by vetting agents and
> added manually (vs. one of the other domain validation methods),
> would it be possible to do CAA checks at the time that domain is
> added and then annually thereafter and skip CAA checks for the
No, for all the reasons given previously in this thread :-)
> I'd propose CAA checking at a minimum every 5 days, but in reality
> we'd probably check every day or two and have that data useable for 5
> days to cover error cases when attempting to re-validate it.
> I'd propose soft fail for the first 6 months of this requirement then
> move to hard fail. That 6-month period of mandatory CAA will surface
> remaining CAA issues and then those can be addressed before hard fail
> is a requirement. While CAA has been talked about for 5 years, it
> needs some time for heavier use in a permissive mode vs. jumping
> right to hard fail to shake out operational issues.
There will be an implementation date, probably six months from the
ballot passing; if you implement quicker than that, you are welcome to
use soft fail up until the implementation date, and report any problems
We have been talking about this for too long; if CAs wanted experience
with CAA before it was mandatory, the time for doing that was in the
last N years. If it got pushed down the priority list, then clearly the
experience is not all that important after all.
More information about the Public