[cabfpub] Continuing the discussion on CAA
Rick Andrews
Rick_Andrews at symantec.com
Thu Oct 27 15:46:51 MST 2016
Jody, did you mean to say "it does not issue _certs_ to the general public"?
I think the answer is: if those certs are in scope for the BRs, then any
rules in the BRs about CAA take effect.
Currently, the only rule in the BRs concerning CAA is that the CA has to
publish their CAA policy in their CP/CPS. It says nothing about what
browsers have to do ;^)
-Rick
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jody Cloutier
via Public
Sent: Thursday, October 27, 2016 3:34 PM
To: public at cabforum.org
Cc: Jody Cloutier <jodycl at microsoft.com>
Subject: Re: [cabfpub] Continuing the discussion on CAA
Question: If a company has trusted roots, but it does not issue roots to the
general public, would it still have to check the CAA database?
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Andrew Ayer
via Public
Sent: Tuesday, October 25, 2016 10:32 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org> wrote:
> "CAA records MAY be used by Certificate Evaluators as a possible
> indicator of a security policy violation. Such use SHOULD take
> account of the possibility that published CAA records changed
> between the time a certificate was issued and the time at which the
> certificate was observed by the Certificate Evaluator."
>
> I know it says this, but I'm not sure how this would ever happen in
> practice. That seems more like the role of CT over CAA.
CT finds certificates but doesn't tell you whether a certificate was
authorized or not. A CT monitor could check CAA records and raise an alarm
if a certificate was issued by an unauthorized CA.
Regards,
Andrew
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20161027/51aa0ba7/attachment-0001.bin>
More information about the Public
mailing list