[cabfpub] Draft CAA motion (2)

[Gervase Markham]

Hi Doug,

On 17/11/16 13:41, Doug Beattie wrote:
> We'd like to avoid a requirement to check every FQDN (and especially
> at the time of issuance)  and check only a higher level FQDN (or
> Domain Name) on a "regular" basis by following an approved,
> documented process.  This will help move failure cases earlier in the
> ordering/validation flow instead of right at time of issuance and
> also allow high volume issuance without needing to insert a CAA check
> into the issuance process.

Thank you for the rationale; that helps. In terms of the volume, I think
the work done earlier and reported on this list demonstrates that CAA
need not be a problem for high volume issuance. So I don't set much
store by that objection. In terms of the place in the flow, you can
check CAA as many times as you like in your flow.

> Example 1: Assume we issue a lot of certificates to
> serialnumber.us.example.com, I'd like to check us.example.com every
> few of days to cover this vs. every fqdn at the time of issuance.  If
> that means a special CAA directive (no-check subdomain or something,
> what was this called?), then that's OK because we can work with the
> small number of customers that need this type of service. I'd like to
> avoid name constrained CAs, special extensions and complicated
> "contractual" requirements.

If all of the issuance is under a particular subdomain (us.example.com),
I would say that a name-constrained sub-CA is the right solution. You
don't say why you'd like to avoid them. As Peter Bowen has recently
pointed out (in m.d.s.policy, I think) it doesn't need to be a complex
process to make one under the current rules.

> I'm a bit concerned that not all DNS systems will allow the creation
> of CAA records, so the proposed solution above might need an
> alternative approach in those cases to allow high volume issuance.
> Rick reported on DNS capabilities a while ago, but I don’t know what
> the current status is.

I believe this is true, and that's one reason why the no-check-subdomain
idea is sub-optimal. As you will recall from reading the threads, we
considered that but rejected it because it turned out the problem it
purported to solve (high volume issuance) was not a problem at all.

> Example 2: Retail/reseller ordering process: Check CAA for the
> FQDN(s) when the order data is collected and be able to use that for
> up to 5 days.  If it takes more than 5 days to complete the vetting
> process, then it needs to be checked again prior to issuance.

Why 5 days? This example above seems like the normal case. If you want
to check at order time to make sure there won't be a problem later,
that's fine. You just need to check again at issuance time, or within 1
hour, or within the TTL. A CAA check is very cheap indeed.

> Example 3: Enterprise account: I'd like to propose less restrictive
> checks on enterprise accounts when domain ownership or control is
> performed when the domain is added to the enterprise account, but I
> don’t think anything I would propose here would be accepted.  I'll
> try anyway: If domain ownership is verified by vetting agents and
> added manually (vs. one of the other domain validation methods),
> would it be possible to do CAA checks at the time that domain is
> added and then annually thereafter and skip CAA checks for the
> FQDNs?

No, for all the reasons given previously in this thread :-)

> I'd propose CAA checking at a minimum every 5 days, but in reality
> we'd probably check every day or two and have that data useable for 5
> days to cover error cases when attempting to re-validate it.
> 
> I'd propose soft fail for the first 6 months of this requirement then
> move to hard fail.  That 6-month period of mandatory CAA will surface
> remaining CAA issues and then those can be addressed before hard fail
> is a requirement.  While CAA has been talked about for 5 years, it
> needs some time for heavier use in a permissive mode vs. jumping
> right to hard fail to shake out operational issues.

There will be an implementation date, probably six months from the
ballot passing; if you implement quicker than that, you are welcome to
use soft fail up until the implementation date, and report any problems
you encounter.

We have been talking about this for too long; if CAs wanted experience
with CAA before it was mandatory, the time for doing that was in the
last N years. If it got pushed down the priority list, then clearly the
experience is not all that important after all.

Gerv