[cabfpub] Draft CAA motion (3)

Ryan Sleevi sleevi at google.com
Thu Jan 12 22:56:14 UTC 2017

On Thu, Jan 12, 2017 at 1:15 PM, Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:
> How often does that scenario happen - that you're issuing a server
> certificate via ceremony (as opposed to an intermediate or root
> certificate)?
> *[BM] We have a model where about 20-30 certificates per business day are
> issued. We can change the model, but this will add more implementation
> time. Please note that we currently check CAA records for those
> certificates, but at the time of validation, not issuance.*

Interesting. I was not aware CAs did this. I'd love to know more about the
why, and I'm glad to hear it's not a substantial volume. Is there anything
that materially distinguishes these certificates from the others that you
issue, much like was done for same-CA&DNS certs, so that it might be
possible to recognize them as the exception (which, at 20-30/day, are
unquestionably) rather than weakening the general rule?

> As with previous discussions about implementation times, can you speak to
> your specific concerns, rather than hypothetical generalizations? This
> helps ensure we're picking a reasonable time, not simply an appealing time.
> I think this is especially important because as proposed, Gerv hasn't
> touched upon what interaction, if any, this has on cached validations -
> potentially meaning it's 4 years before domain holders can have any
> reasonable semblance of security.
> *[BM] We have a release cycle which is already planned for many future
> releases. Improvements to CAA are not yet planned in the release cycle. For
> us to implement new requirements for CAA for multiple brands, then it will
> drastically impact our current plans. More time to implement for a feature
> which is used by so few Subscribers would be appreciated. On the other
> hand, I understand that those that use CAA would like their records to be
> respected. It would be great to have a list of the current CAA records,
> then we can just black-list or block-list those domains as a transitions
> plan.*

Understandably, it's a feature used by so few Subscribers because despite
years of talking, so few CAs have implemented, and the Forum itself hasn't
codified a requirement (hence Mozilla's willingness to explore modifying
its own policies in the absence of Forum consensus). As the purpose of CAA
is to avoid such lists - or, more aptly, to make them managable by the
applicant rather than the CA, it doesn't seem like it would be worthwhile
or desirable to add existing-CAA domains to the "High Risk" domain list.
Any form of automating that curation (e.g. "compute this list daily") just
ends up either woefully incomplete (you have to know the *full* name to
check it, and I doubt your team is ready to crawl the Internet daily) or
just ends up as a delayed check, which is the thing being remarked against.

It sounds like CAA has not been on release cycle to implement, despite the
years of the Forum talking about it. Is that a correct conclusion? If it
isn't - and CAA implementation is on your plans to implement - it might
help more if you could speak to what other improvements to online security
and safety Entrust is planning that would be more important/valuable for
the ecosystem than CAA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170112/65f6dacf/attachment-0003.html>

More information about the Public mailing list