[cabfpub] Draft CAA motion (2)

Gervase Markham gerv at mozilla.org
Mon Nov 21 18:55:12 UTC 2016

On 18/11/16 16:59, Steve Medin wrote:
> Now back to my snipped point about the customer who has had the same 2,000 
> domains for the past 10 years, has CAA to protect from unauthorized CAs 
> issuing for their domains, and submits 500 requests a day. What do they gain 
> by having "their CA" check CAA?

They gain because if their CA is required to do it, the rule which
requires that means all the other CAs are required to do it too.

Look at it another way. If that customer puts in place CAA records "to
protect from unauthorized CAs issuing for their domains", would they
prefer that other CAs be required to check CAA in all circumstances, or
are they OK with those other CAs not checking CAA in a bunch of
circumstances that those other CAs define? If they would prefer that
"other" CAs check CAA in all circumstances (thereby maximising the
protection this customer gets from their CAA records), then they need to
be OK with the CA they are currently using also being required to check
it in all circumstances.

What you see as "pointless" CAA checks are the consequence of a
universal rule which, in the end, protects everyone equally.


More information about the Public mailing list