[cabfpub] CAA concerns (and potential solutions)
pzb at amzn.com
Fri Oct 28 09:57:30 MST 2016
> On Oct 28, 2016, at 9:51 AM, Ryan Sleevi <sleevi at google.com> wrote:
> On Fri, Oct 28, 2016 at 8:01 AM, Gervase Markham via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> However, the expected use case for skipsubdomains=true is when CAs
> have a very particular relationship with a small number of clients who
> need high speed issuance.
> If that is the use case, then I think the onus should be on CAs wanting or representing that to show, in a timely fashion, data that would suggest this is necessary. Otherwise, it seems very much an 'uncertainty' thing, without any concrete demonstration that the overhead of the CAA check for <random>.thing.example.com <http://thing.example.com/> would dominate any of the issuance process.
With products like the Cavium CNN3560-NFBE-G supporting more than 30,000 RSA signatures per second when using a 2048-bit key, I'm confident that the multiple DNS lookups required by CAA will be the long pole.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public