[cabfpub] Continuing the discussion on CAA

philliph at comodo.com philliph at comodo.com
Tue Sep 13 13:27:39 UTC 2016


As the CAA author, the reason the spec doesn’t talk about ‘validation’ is that the distinction between validation and issue is something that is a policy issue and the IETF does not do policy.

That said, why wouldn’t you want to do a check on each issue? Its only a DNS lookup.


> On Sep 13, 2016, at 8:29 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> 
> If we adopt CAA as a requirement, when in the process will the CAA check be mandated?
> -          When the certificate request is received (part of request validation similar to high risk checks)
> -          When the certificate request is approved (at time of issuance) – which could be minutes, hours or days after the request was received
> -          When the “Certificate Data” is collected and domain validation is performed
>  
> I believe the CAA spec says at time of issuance, but I’m hoping that for the BRs we can move the CAA check up in the issuance process to the point in time the Certificate Data is validated.  For enterprise type accounts we shouldn’t need to validate CAA for every issuance if CAA was validated as part of Domain Validation for that enterprise.
>  
> Doug
>  
>   <>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
> Sent: Monday, September 12, 2016 6:56 PM
> To: Eric Mill
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Continuing the discussion on CAA
>  
> Eric, the discussions around CAA have often included less-than-strict enforcement because some CAs were opposed to CAA deployment. Some thought that it might be easier to achieve broad adoption by mandating a lax minimum and then ratcheting it up over time. 
> 
> -Rick
> 
> 
> 
>  
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160913/3c40a284/attachment-0003.html>


More information about the Public mailing list