[cabfpub] Continuing the discussion on CAA

Bruce Morton Bruce.Morton at entrust.com
Tue Sep 13 13:51:32 UTC 2016


I think the issue is the failure scenario.

The expectation for an enterprise account is that the information is all pre-validated. This allows the subscriber to issue OV and EV certificates 24/7/365. Performing a CAA check at time of issuance would mean that the data is not all pre-validated. A failed CAA check could stop a certificate from being issued.

From the EV point of view, there would appear to be limited value in performing EV validation (confirming authorization of the Certificate Approver), providing a subscriber with 2-factor login to issue a certificate, then fail due to CAA.

Bruce.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of philliph at comodo.com
Sent: Tuesday, September 13, 2016 9:28 AM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Rick Andrews <Rick_Andrews at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

As the CAA author, the reason the spec doesn’t talk about ‘validation’ is that the distinction between validation and issue is something that is a policy issue and the IETF does not do policy.

That said, why wouldn’t you want to do a check on each issue? Its only a DNS lookup.


On Sep 13, 2016, at 8:29 AM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:

If we adopt CAA as a requirement, when in the process will the CAA check be mandated?
-          When the certificate request is received (part of request validation similar to high risk checks)
-          When the certificate request is approved (at time of issuance) – which could be minutes, hours or days after the request was received
-          When the “Certificate Data” is collected and domain validation is performed

I believe the CAA spec says at time of issuance, but I’m hoping that for the BRs we can move the CAA check up in the issuance process to the point in time the Certificate Data is validated.  For enterprise type accounts we shouldn’t need to validate CAA for every issuance if CAA was validated as part of Domain Validation for that enterprise.

Doug


From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Monday, September 12, 2016 6:56 PM
To: Eric Mill
Cc: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Continuing the discussion on CAA

Eric, the discussions around CAA have often included less-than-strict enforcement because some CAs were opposed to CAA deployment. Some thought that it might be easier to achieve broad adoption by mandating a lax minimum and then ratcheting it up over time.

-Rick




_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160913/9804f0e7/attachment-0003.html>


More information about the Public mailing list