[cabfpub] Continuing the discussion on CAA

Ryan Sleevi sleevi at google.com
Wed Oct 26 17:20:28 UTC 2016


Reposting to the public list since, for some reason, Jeremy's reply-all
dropped it.

On Wed, Oct 26, 2016 at 8:54 AM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Plus, DNS records aren’t exactly hard to change. Considering the general
> lack of support for CAA, getting a CAA record in the DNS is a lot more
> difficult than changing the record once established.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ryan
> Sleevi via Public
> *Sent:* Wednesday, October 26, 2016 9:52 AM
> *To:* Eneli Kirme <Eneli.Kirme at sk.ee>
> *Cc:* CABFPub <public at cabforum.org>
> *Subject:* Re: [cabfpub] Continuing the discussion on CAA
>
>
>
> On Oct 25, 2016 10:38 PM, "Eneli Kirme via Public" <public at cabforum.org>
> wrote:
>
> >
> > Hi,
> >
> > In practice CAA record are subject to be manipulated by UI provided by
> DNS records management. We have no way to control it and once there is a
> “default” listed for customer convenience then the damage for fair market
> has been placed. Without actually much thinking customers make a business
> decision of one area in the context of another without much thinking about
> it.
> > Can we from CABForum somehow protect against such “defaults”?
> >
>
> This has been discussed rather at length over the past two years. In
> Rick's slides from past meetings, you can find the discussion of
> differences between Kirk Hall and I on this, with Gervase supporting the
> position I put forward: No, we cannot.
>
> I appreciate the concern, but I believe it is largely hypothetical, I
> believe that as a concern it prevents real security without any
> demonstrable risk, and should the situation ever arise in reality, we can
> actually evaluate it rather than the hypothetical.
>
> But I do want to highlight that this argument has been used against CAA
> since 2011, as the archives show, was previously made by Kirk Hall, and
> otherwise has prevented progress by raising the spectre of an issue without
> any real evidence.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/e10da971/attachment-0003.html>


More information about the Public mailing list