[cabfpub] Draft CAA motion (2)

Gervase Markham gerv at mozilla.org
Thu Nov 17 15:43:51 UTC 2016

On 17/11/16 15:41, Jeremy Rowley wrote:
> Just to summarize, the two exceptions to CAA are now:
> 1) A technically constrained intermediate with a contract that permits a CAA
> exception and
> 2) Where the CA is issuing to its own domains and domains of its affiliates
> In all other cases, CAA would be hard-fail.
> Is this an accurate summary?

>From the draft (2):

CAs MUST NOT rely on any exceptions specified in their CP or CPS unless
they are one of the following:

* CAA checking is optional for certificates for which a Certificate
Transparency pre-certificate was created and logged in at least two
public logs, and for which CAA was checked.

* CAA checking is optional for certificates issued by an Technically
Constrained Subordinate CA Certificate as set out in Baseline
Requirements section 7.1.5, where the lack of CAA checking is an
explicit contractual provision in the contract with the Applicant.

And then we would add a third:

* CAA checking is optional for domains whose DNS is controlled by the CA
or an Affiliate.

The "whose DNS is controlled by" may not be quite the right formulation;
if you think it's not, suggest better.


More information about the Public mailing list