[cabfpub] Draft CAA motion (3)

Ryan Sleevi sleevi at google.com
Thu Jan 12 13:39:00 MST 2017


On Thu, Jan 12, 2017 at 10:28 AM, Bruce Morton via Public <
public at cabforum.org> wrote:
>
> I know there was some discussion about caching. I do think that 1 hour may
> be a period which is too short. For instance it does not address the case
> where a CA issues a certificate manually from a secure room/secure server.
> In these cases, the server will not be able to evaluate a CAA record. I
> think that this should be raised to 24 hours.
>

How often does that scenario happen - that you're issuing a server
certificate via ceremony (as opposed to an intermediate or root
certificate)?

I can appreciate that there might be things that 1 hour would make hard -
but I think it is a valid question to ask how often those exceptional
situations realistically happen, relative to the riskiness of the proposed
solution.



> The effective time of 6 months may be too short. For many CAs, they will
> just start to deploy based on the new ballot. In this case with technical
> requirements which will impact the issuance of certificates, there should
> be more time allowed to ensure CAA is deployed effectively. I propose 12
> months after the voting period ends.
>

As with previous discussions about implementation times, can you speak to
your specific concerns, rather than hypothetical generalizations? This
helps ensure we're picking a reasonable time, not simply an appealing time.
I think this is especially important because as proposed, Gerv hasn't
touched upon what interaction, if any, this has on cached validations -
potentially meaning it's 4 years before domain holders can have any
reasonable semblance of security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170112/d04fe615/attachment.html>


More information about the Public mailing list