[cabfpub] Draft CAA motion (2)

Jeremy Rowley jeremy.rowley at digicert.com
Thu Nov 17 15:41:05 UTC 2016

Just to summarize, the two exceptions to CAA are now:
1) A technically constrained intermediate with a contract that permits a CAA
exception and
2) Where the CA is issuing to its own domains and domains of its affiliates

In all other cases, CAA would be hard-fail.

Is this an accurate summary?


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Thursday, November 17, 2016 4:31 AM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>; Peter Bowen <pzb at amzn.com>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Draft CAA motion (2)

Hi Doug,

On 14/11/16 21:09, Doug Beattie wrote:
> We're getting closer - is the only remaining discussion topic for 
> allowing CAs to skip CAA "at time of  issuance" in certain cases when 
> certain criteria are met?

So, having considered it, I will add an additional bullet to the list of
permitted exceptions:

* the domain's DNS is operated by the CA or an Affiliate

Today it is true that you shouldn't host your DNS with your CA unless you're
OK with that CA issuing certificates for you (see recent discussion about
Cloudflare in m.d.s.policy), and that's not going to change, so I am
comfortable with this exception. There is no point in one part of a CA
asking another part for permission. This should solve Jody's problem, I
hope, although it might not solve yours and Steve's, unless you want to get
into the DNS hosting business.

So we now need to talk about the idea of a contractual opt-out for CAA
checking, with an OID in the cert to indicate that this is what has
happened. My concern is that because most CAs have some sort of contract,
often click-through, with those who buy their certs, what's to prevent them
all sticking a "no need for CAA" clause into it, and then not bothering to
implement CAA at all?

Also, what if the contract is executed not with the domain holder, but with
an attacker? How can a domain holder prevent that happening?

I'm fairly sure CAs would not like the browsers or the BRs to start making
regulations about the strength of contracts they must have, or the level of
awareness by the contracting party they must prove exists.

I'd also be concerned that putting requirements on the type of contract that
must exist would be tantamount to saying "CAs with business model X don't
have to do this check, but CAs with business model Y do".

Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161117/2fe50fe5/attachment-0001.p7s>

More information about the Public mailing list