[cabfpub] Continuing the discussion on CAA

Mehner, Carl Carl.Mehner at usaa.com
Tue Sep 13 17:37:03 UTC 2016 

    (reposting to pub list)

The RFC says,
   Before issuing a certificate, a compliant CA MUST check for
   publication of a relevant CAA Resource Record set.
...
   an exception specified
   in the relevant Certificate Policy or Certification Practices
   Statement applies.

It does not specify how long before the issuance that the CAA check "MUST" take place, that will be up to the policy set by the CA or CABF.

That said, in a scenario where an enterprise account had chosen and used a CA or set of CAs, but later chose to migrate away from one of those, I would expect that changing the enterprise’s CAA record would create a hard-fail scenario where that CA would no longer issue certificates for the enterprise (regardless of any ongoing or unexpired service agreements).

To your other point, there’s nothing stopping a CA from checking at time of validation also and providing a warning that issuance may fail due to CAA records.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Tuesday, September 13, 2016 8:52 AM
To: philliph at comodo.com; Doug Beattie <doug.beattie at globalsign.com>
Cc: Rick Andrews <Rick_Andrews at symantec.com>; public at cabforum.org
Subject: EXTERNAL: Re: [cabfpub] Continuing the discussion on CAA

I think the issue is the failure scenario.

The expectation for an enterprise account is that the information is all pre-validated. This allows the subscriber to issue OV and EV certificates 24/7/365. Performing a CAA check at time of issuance would mean that the data is not all pre-validated. A failed CAA check could stop a certificate from being issued.

From the EV point of view, there would appear to be limited value in performing EV validation (confirming authorization of the Certificate Approver), providing a subscriber with 2-factor login to issue a certificate, then fail due to CAA.

Bruce.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of philliph at comodo.com<mailto:philliph at comodo.com>
Sent: Tuesday, September 13, 2016 9:28 AM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Cc: Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Continuing the discussion on CAA

As the CAA author, the reason the spec doesn’t talk about ‘validation’ is that the distinction between validation and issue is something that is a policy issue and the IETF does not do policy.

That said, why wouldn’t you want to do a check on each issue? Its only a DNS lookup.


   On Sep 13, 2016, at 8:29 AM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:

   If we adopt CAA as a requirement, when in the process will the CAA check be mandated?
   -          When the certificate request is received (part of request validation similar to high risk checks)
   -          When the certificate request is approved (at time of issuance) – which could be minutes, hours or days after the request was received
   -          When the “Certificate Data” is collected and domain validation is performed

   I believe the CAA spec says at time of issuance, but I’m hoping that for the BRs we can move the CAA check up in the issuance process to the point in time the Certificate Data is validated.  For enterprise type accounts we shouldn’t need to validate CAA for every issuance if CAA was validated as part of Domain Validation for that enterprise.

   Doug


   From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
   Sent: Monday, September 12, 2016 6:56 PM
   To: Eric Mill
   Cc: public at cabforum.org<mailto:public at cabforum.org>
   Subject: Re: [cabfpub] Continuing the discussion on CAA

   Eric, the discussions around CAA have often included less-than-strict enforcement because some CAs were opposed to CAA deployment. Some thought that it might be easier to achieve broad adoption by mandating a lax minimum and then ratcheting it up over time.

   -Rick




   _______________________________________________
   Public mailing list
   Public at cabforum.org<mailto:Public at cabforum.org>
   https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160913/16bdbb04/attachment-0003.html>

More information about the Public mailing list