[cabfpub] Continuing the discussion on CAA

Doug Beattie doug.beattie at globalsign.com
Tue Sep 13 05:29:44 MST 2016


If we adopt CAA as a requirement, when in the process will the CAA check be mandated?

-          When the certificate request is received (part of request validation similar to high risk checks)

-          When the certificate request is approved (at time of issuance) - which could be minutes, hours or days after the request was received

-          When the "Certificate Data" is collected and domain validation is performed

I believe the CAA spec says at time of issuance, but I'm hoping that for the BRs we can move the CAA check up in the issuance process to the point in time the Certificate Data is validated.  For enterprise type accounts we shouldn't need to validate CAA for every issuance if CAA was validated as part of Domain Validation for that enterprise.

Doug


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Monday, September 12, 2016 6:56 PM
To: Eric Mill
Cc: public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

Eric, the discussions around CAA have often included less-than-strict enforcement because some CAs were opposed to CAA deployment. Some thought that it might be easier to achieve broad adoption by mandating a lax minimum and then ratcheting it up over time.

-Rick



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160913/7626589f/attachment.html 


More information about the Public mailing list