[cabfpub] CAA concerns (and potential solutions)

Peter Bowen pzb at amzn.com
Fri Oct 28 09:57:30 MST 2016


> On Oct 28, 2016, at 9:51 AM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> 
> 
> On Fri, Oct 28, 2016 at 8:01 AM, Gervase Markham via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> However, the expected use case for skipsubdomains=true is when CAs
> have a very particular relationship with a small number of clients who
> need high speed issuance. 
> 
> If that is the use case, then I think the onus should be on CAs wanting or representing that to show, in a timely fashion, data that would suggest this is necessary. Otherwise, it seems very much an 'uncertainty' thing, without any concrete demonstration that the overhead of the CAA check for <random>.thing.example.com <http://thing.example.com/> would dominate any of the issuance process. 

With products like the Cavium CNN3560-NFBE-G supporting more than 30,000 RSA signatures per second when using a 2048-bit key, I'm confident  that the multiple DNS lookups required by CAA will be the long pole.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161028/53bc004c/attachment-0001.html>


More information about the Public mailing list