[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Mon Feb 27 11:39:24 MST 2017

On 22/02/17 22:32, Doug Beattie wrote:
> I think we need to talk about negative caching TTL.  I recommend we add:
> 
> -        In the event there were no CAA records found, the CA may cache
> the result for 24-hours or the value of the negative caching TTL.

Hi Doug,

I thought that Ryan addressed this by explaining the mechanism the DNS
already provides for caching a negative response. What makes you think
that mechanism is inappropriate?

> You reference CT logs, but I think we need to be more clear that they
> need to be Active logs (anyone of the active logs on this page
> https://sites.google.com/site/certificatetransparency/known-logs).

My rationale in not doing this was that I wanted to avoid referencing a
list of logs provided by any one particular vendor or CAB Forum member.

> Not
> doing so could allow someone to generate a pre-cert and post it to their
> development CT log then wait a month/year before issuing the real cert
> at which point the CAA check is long over the time limit.

This is possible, I suppose; what would a CA have to gain from such
strange behaviour? The log is required to be "public"; I expect that to
mean that the CT community is aware of its existence and that its
endpoints respond appropriately to calls.

> I think we need to update the EVGL, section 11.7.1
> 
> -        For each Fully-Qualified Domain Name listed in a Certificate,
> other than a Domain Name with .onion in the right-most label of the
> Domain Name, the CA SHALL confirm that, as of the date the Certificate
> was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary
> Company, or Affiliate, collectively referred to as “Applicant” for the
> purposes of this section)  either is the Domain Name Registrant or has
> control over the FQDN using a procedure specified in Section 3.2.2.4 of
> the Baseline Requirements _and has checked CAA in accordance with
> Section 3.2.2.8 of the Baseline Requirements_.  For a Certificate issued
> to a Domain Name with .onion in the right-most label of the Domain Name,
> the CA SHALL confirm that, as of the date the Certificate was issued,
> the Applicant’s control over the .onion Domain Name in accordance with
> Appendix F.

Why do you think this update is necessary? The BRs apply to the issuance
of EV certificates just as much as any other sort, and CAA is mandatory
in the BRs.

> Several people have looked at RFC 6844 and have come away with different
> interpretations of what the processing means, so I HIGHLY recommend we
> include the CAA processing that MUST be performed so there is no
> ambiguity and so it’s clear for auditors.

As noted, I have no wish to "fork" the CAA standard into the BRs. There
are six months before it is required for all CAs to start checking CAA.
In that time, I hope that any necessary clarifications to the RFC can be
issued. If we get closer to the time and a follow-up ballot is deemed
necessary because the situation is still unclear, we can pass one.

Gerv