[cabfpub] CAA concerns (and potential solutions)

[Gervase Markham]

On 28/10/16 15:49, Peter Bowen wrote:
> It is clear there is a lot of uncertainty out there about CAA.  One
> of the concerns is that this left hand not knowing what the right
> hand is doing scenario is common.  By requiring checking CAA and
> logging when it is being overridden, we can move to certainty. 

OK, makes sense.

> Without the “*” option, if a domain owner does not want to indicate
> CA restriction, then every label in every FQDN has to be checked.

True. However, the expected use case for skipsubdomains=true is when CAs
have a very particular relationship with a small number of clients who
need high speed issuance. The chances of people wanting that from any CA
are small. The downside of this change is that defining a new possible
value for the issue record ("*") is a much bigger change than just
adding a parameter.

   "An issuer MAY choose to specify issuer-parameters that further
   constrain the issue of certificates by that issuer, for example,
   specifying that certificates are to be subject to specific validation
   polices, billed to certain accounts, or issued under specific trust
   anchors.

   The semantics of issuer-parameters are determined by the issuer
   alone."

So CAs can invent whatever parameters with whatever syntax they want,
within the spec. Now, the way it would work in the BRs is that the BRs
would permit that the CA define and document the different processing
based on a CA-defined and documented parameter of
"skipsubdomainchecks=true". That doesn't require any changes to the CAA
spec itself. However, defining "*" does, as all clients need to
understand it; by default, they'd interpret it as "not my domain name"
and so refuse to issue.

So my proposal is that we don't do this, as it's not necessary in
practice and requires an actual spec change.

Gerv