[cabfpub] CAA concerns (and potential solutions)

Ryan Sleevi sleevi at google.com
Fri Oct 28 16:49:03 UTC 2016


On Fri, Oct 28, 2016 at 7:49 AM, Peter Bowen via Public <public at cabforum.org
> wrote:

>
> I think CAs should track this so we can come back in a year and review how
> often allowing soft-fail had any impact.


We've been spinning our wheels on this point for several years. For four
years now, we've been suggesting CAs do just that. They haven't. The
closest we've been able to come is for CAs to document their policies on
CAA.

The hope that those with concerns would work with their engineering teams
to gather concrete data, so that we can have meaningful technical
discussions, is, at this point, a pipe dream. Instead, we're seeing the
same objections circulated that were first brought up when we discussed
CAA. We see the same responses from supporters of CAA - which is to gather
more data - and the same lack of action and FUD from the naysayers.

If we had data to show otherwise, I would absolutely be in favor of
exploring what solutions - both technical and policy - we can form to
address this. Indeed, the whole point of the current CAA ballot was to
allow precisely what you describe - CA's to gather implementation
experience in a world they can safely soft-fail, so long as they document
as such - but we've seen the same lack of action.

This does not make it easy to engage in a mutually respectful, technically
driven discussion, and this makes it hard to be sympathetic to
hypotheticals when the CAs have had years to help improve their security
and the security of the Internet and failed to do so.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161028/b5a59135/attachment-0003.html>


More information about the Public mailing list