[cabfpub] FW: Proposal: CAA Discovery
Mads Egil Henriksveen
Mads.Henriksveen at buypass.no
Thu Aug 31 09:52:10 MST 2017
I will endorse for Buypass.
Mads
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Phillip via Public
Sent: torsdag 31. august 2017 18:15
To: 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
Subject: [cabfpub] FW: Proposal: CAA Discovery
Comodo proposes the following motion, looking for a seconder.
Proposal: Modify the Baseline Requirements v1.4.9 as follows:
3.2.2.8. CAA Records
Change:
As part of the issuance process, the CA MUST check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844, following the processing instructions set down in RFC 6844 for any records found. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.
To
As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.
Add the following as an appendix.
Appendix A:
The following errata report has been held for document update for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065
--------------------------------------
Status: Held for Document Update
Type: Technical
Reported by: Phillip Hallam-Baker <philliph at comodo.com<mailto:philliph at comodo.com>> Date Reported: 2017-07-10 Held by: EKR (IESG)
Section: 4
Original Text
-------------
Let CAA(X) be the record set returned in response to performing a CAA
record query on the label X, P(X) be the DNS label immediately above
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
alias record specified at the label X.
o If CAA(X) is not empty, R(X) = CAA (X), otherwise
o If A(X) is not null, and R(A(X)) is not empty, then R(X) =
R(A(X)), otherwise
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
o R(X) is empty.
Corrected Text
--------------
Let CAA(X) be the record set returned in response to performing a CAA
record query on the label X, P(X) be the DNS label immediately above
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
alias record chain specified at the label X.
o If CAA(X) is not empty, R(X) = CAA (X), otherwise
o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
CAA(A(X)), otherwise
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
o R(X) is empty.
Thus, when a search at node X returns a CNAME record, the CA will
follow the CNAME record chain to its target. If the target label
contains a CAA record, it is returned.
Otherwise, the CA continues the search at
the parent of node X.
Note that the search does not include the parent of a target of a
CNAME record (except when the CNAME points back to its own path).
To prevent resource exhaustion attacks, CAs SHOULD limit the length of
CNAME chains that are accepted. However CAs MUST process CNAME
chains that contain 8 or fewer CNAME records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170831/4a38a3e3/attachment.html>
More information about the Public
mailing list