[cabfpub] FW: Proposal: CAA Discovery

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Thu Aug 31 09:52:10 MST 2017


I will endorse for Buypass.

Mads

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Phillip via Public
Sent: torsdag 31. august 2017 18:15
To: 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
Subject: [cabfpub] FW: Proposal: CAA Discovery

Comodo proposes the following motion, looking for a seconder.

Proposal: Modify the Baseline Requirements v1.4.9 as follows:

3.2.2.8. CAA Records

Change:

As part of the issuance process, the CA MUST check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844, following the processing instructions set down in RFC 6844 for any records found. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

To

As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

Add the following as an appendix.
Appendix A:
The following errata report has been held for document update for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--------------------------------------
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker <philliph at comodo.com<mailto:philliph at comodo.com>> Date Reported: 2017-07-10 Held by: EKR (IESG)

Section: 4

Original Text
-------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
      R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
      CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label
  contains a CAA record, it is returned.
  Otherwise, the CA continues the search at
  the parent of node X.

  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).

  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170831/4a38a3e3/attachment.html>


More information about the Public mailing list