[cabfpub] Continuing the discussion on CAA
Jeremy Rowley
jeremy.rowley at digicert.com
Mon Oct 24 16:26:16 UTC 2016
Thanks Gerv. Very useful.
I think there are just three concerns with CAA I'd like to address before
hard-fail is required:
1) CAA is currently an issuance check rather than a validation check. As
mentioned during the face-to-face, this is a hurdle in fast issuance of
certificates. We liked Ryan's proposal of simply doing a refresh every X days
as a solution. By moving it to a validation check, CAs can have fast issuance
times without CAA holding up the process after the initial validation is
complete.
2) If a customer has a single base domain and needs to issue 6 million certs
an hour for the various sub domains, then there isn't a way for the CA to
simply accept the base domain's CAA record.
3) The validation process is actually opposite of what is required by CAA.
The order required for CAA descends in scope rather than ascends (ie, check
third level, then second level). Validation under 169 takes the opposite
approach. The base domain is often used for validation without regard to
anything specified in sub domains. Seems like we should pivot CAA to match the
actual validation process and have the CAA scope match the domain
authorization scope. Without doing this you run into an inconsistency where
the customer could obtain *.example.com but not secure.example.com. This
doesn't make sense as we like to encourage customers to use non-wildcard names
when possible.
Problems #2 and #3 are easily solved together. Permitting verification of a
sub domain to override the higher level domains solves performance issues,
still restricts the scope of what CAs can issue, and permits high speed/volume
issuance off a base domain.
Thoughts?
Jeremy
-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Monday, October 24, 2016 9:43 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On 24/10/16 16:40, Jeremy Rowley via Public wrote:
> Has there been an issuance to a third party that CAA would have prevented?
> Since there's no way to ensure compliance with a hard-fail CAA
> requirement, will CAA do anything useful? We don't mind CAA as a
> validation check, but I'm curious if anyone knows of an issued cert
> that would have been rejected if CAA were fully implemented.
https://github.com/letsencrypt/boulder/issues/1231 :-)
Gerv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/d49ffefa/attachment-0001.p7s>
More information about the Public
mailing list