[cabfpub] Continuing the discussion on CAA

[Richard Barnes]

On Thu, Oct 27, 2016 at 6:33 PM, Jody Cloutier via Public <
public at cabforum.org> wrote:

> Question: If a company has trusted roots, but it does not issue roots to
> the general public, would it still have to check the CAA database?
>

I assume you mean "issue certificates"?

I'm not sure what you mean by "not issuing to the general public", but I'm
concerned about heading back toward the "internal names" exception that we
killed not so long ago.

--Richard



>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Andrew
> Ayer via Public
> Sent: Tuesday, October 25, 2016 10:32 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Continuing the discussion on CAA
>
> On Mon, 24 Oct 2016 18:52:06 +0000
> Jeremy Rowley via Public <public at cabforum.org> wrote:
>
> > "CAA records MAY be used by Certificate Evaluators as a possible
> >    indicator of a security policy violation.  Such use SHOULD take
> >    account of the possibility that published CAA records changed
> > between the time a certificate was issued and the time at which the
> >    certificate was observed by the Certificate Evaluator."
> >
> > I know it says this, but I'm not sure how this would ever happen in
> > practice. That seems more like the role of CT over CAA.
>
> CT finds certificates but doesn't tell you whether a certificate was
> authorized or not.  A CT monitor could check CAA records and raise an alarm
> if a certificate was issued by an unauthorized CA.
>
> Regards,
> Andrew
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161027/cd620ed8/attachment-0001.html>