[cabfpub] Continuing the discussion on CAA

[Ryan Sleevi]

On Thu, Oct 27, 2016 at 3:44 PM, Richard Barnes via Public <
public at cabforum.org> wrote:

>
>
> On Thu, Oct 27, 2016 at 6:33 PM, Jody Cloutier via Public <
> public at cabforum.org> wrote:
>
>> Question: If a company has trusted roots, but it does not issue roots to
>> the general public, would it still have to check the CAA database?
>>
>
> I assume you mean "issue certificates"?
>
> I'm not sure what you mean by "not issuing to the general public", but I'm
> concerned about heading back toward the "internal names" exception that we
> killed not so long ago.
>

I don't think that's the direction Jody is speaking of, but moreso speaking
to the pattern of organizationally operated, contractually (but not
technically constrained) subordinate CAs. A perhaps concrete example of
this is Google Intermediate Authority - G2, which is signed by Symantec,
but which Google operates for Google domains.

The matter speaks to the heart of what degrees of (sub-)CAs there are, and
whether contractual enforcements are sufficient. On the one hand, we can
see that all such sub-CAs are expected to be operated to the same standard
as the roots signing them - c.f. WebTrust audits and BR compliance - but on
the other-hand, we can suspect that the need/use of this is restricted to a
certain subset.

Jody: As a concrete counterpoint, would you feel there should be exemptions
or carveouts (of any nature), for CAs that say, only issue to citizens, or
only to contractually-negotiated with parties?

I can see arguments both for and exist, so I'm mostly trying to see if
there's a common principal we can apply here for the question of sub-CAs
and CAA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161027/8f2607f8/attachment-0003.html>