[cabfpub] Continuing the discussion on CAA

Rick Andrews Rick_Andrews at symantec.com
Thu Sep 8 21:40:28 UTC 2016


I'd like to restart discussion on some points raised back in Bilbao [1] in
May.

The most contentious point, I think, was what the CA could and should do if
it finds a CAA record set that doesn't include the CA. At the meeting, these
options were discussed:

1) Discuss with the subscriber and ask them to update the CAA record
(possibly issue the cert if the subscriber can't update the record, or can't
do it in a reasonable timeframe)
2) Treat the request as "High Risk" (defined in the BRs)
3) Contact the domain holder based on whois info
4) Require EV-level validation (thought by some to be overkill for DV certs)

Some opposed Option 1 because it's not a "hard block". Option 2 has the
benefit of being defined in the BRs, but the BRs just say "The CA SHALL
develop, maintain, and implement documented procedures that identify and
require additional verification activity for High Risk Certificate Requests
prior to the Certificate's approval..." It's not clear to me what additional
verification activity would be performed beyond Option 1. Option 3 isn't
reliable because some domain registrations don't contain contact
information.

Option 4 seems like a possibility, if we can agree on which verification
methods in the EVGL are appropriate. Perhaps Section 11.8.3.  Acceptable
Methods of Verification - Authority?

Additionally, I'd like to address this point: 'Ryan pointed out that, at
present, nothing would prevent Neil from stating in his CP/CPS that his CA
will issue certificates if he sees a CAA record for "symantec.com" '. If
Neil adopted that policy, wouldn't it violate RFC 6844, which says "The
issue property entry authorizes the holder of the domain name <Issuer Domain
Name> or a party acting under the explicit authority of the holder of that
domain name to issue certificates for the domain in which the property is
published."?

[1] https://cabforum.org/wiki/Meeting%2038%20Minutes#CAA_.28RFC_6844.29

-Rick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/f5ec7b4e/attachment.p7s>


More information about the Public mailing list