[cabfpub] Draft CAA motion (2)

Steve Medin Steve_Medin at symantec.com
Thu Nov 17 21:18:42 UTC 2016


Yea, just jumping on this, if we can't say the "C" word, let's talk about
enterprise accounts, like those who have been with each of us for a decade
plus. We've already issued large numbers of certificates to them. On the
effective date, we're polling their DNS on every request. ++good.

While using the "C" word, I was alluding to enterprise accounts and my
experiences with them. The CAs in the Forum who have enterprise accounts are
many to all. Most of us would support a ballot that provides:

No account, per-transaction CAA checking. Vetted account (subject to
definition and minimum requirements), less-often CAA checking.

TCSCs, when the domain names aren't known, don't scale for customers who add
brandspace constantly. Every added name is a key ceremony and all it
entails. Every new generation of the CA is a server install headache for
most organizations because last I checked only one browser supports AIA CA
Issuers, most servers are not domain-joined, and not all companies can
afford Venafi. Sure, yes, all things with a handful of scripts, but the
reality is there's a large surface of enterprise web space where certs are
and will continue to be installed manually with change control documentation
and announced maintenance windows and such regalia.

> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Bruce
> Morton via Public
> Sent: Thursday, November 17, 2016 12:02 PM
> To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>; Doug Beattie
> <doug.beattie at globalsign.com>; Peter Bowen <pzb at amzn.com>
> Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com>
> Subject: Re: [cabfpub] Draft CAA motion (2)
> 
> No. The exception is to allow a customer with an enterprise relationship
with
> one CA not to have a CAA hard fail. If the customer does not have an
> enterprise relationship with the other CAs, then this exception does not
> apply.
> 
> An attacker cannot set up an enterprise relationship as their verification
will
> fail.
> 
> Please note that we have over 15 years' experience in setting up
enterprise
> relationships with Subscribers with an exceptional success rate.
> 
> Bruce.
> 
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Thursday, November 17, 2016 11:07 AM
> To: Bruce Morton <Bruce.Morton at entrustdatacard.com>; CA/Browser
> Forum Public Discussion List <public at cabforum.org>; Doug Beattie
> <doug.beattie at globalsign.com>; Peter Bowen <pzb at amzn.com>
> Subject: Re: [cabfpub] Draft CAA motion (2)
> 
> On 17/11/16 15:56, Bruce Morton wrote:
> > [BM] To avoid a relationship with an attacker the CA could have an
> > "enterprise" relationship with the Subscriber.
> 
> So if I'm a big corporation, I need to have enterprise relationships with
every
> CA, to prevent an attacker setting up a relationship with that CA and
> pretending to be me?
> 
> Gerv
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5744 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161117/48aa9291/attachment-0001.p7s>


More information about the Public mailing list