[cabfpub] Draft CAA motion (3)

Doug Beattie doug.beattie at globalsign.com
Thu Jan 19 13:44:29 UTC 2017

> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Thursday, January 19, 2017 8:33 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Doug Beattie <doug.beattie at globalsign.com>
> Subject: Re: [cabfpub] Draft CAA motion (3)
> On 19/01/17 13:25, Doug Beattie via Public wrote:
> > What did you intend by “adverse CAA records”?   If a CA runs across a
> > CAA record that identifies other CAs that are authorized to issue but
> > not them, I don’t see a reason to report on that to CABF as you
> > suggested in the proposed ballot.
> Why not? This is a scenario that lots of CAs seem to be exercised about, so it
> would be useful to know how often it happens, and what the underlying
> cause is (primarily, if the record turns out to be correct and the application is
> wrong or malicious, or whether the record turns out to be wrong/outdated
> and the application correct).
> So I am very keen to see CAs keeping records of this, because some seem to
> think that this will be a highly common and deeply inconvenient occurrence,
> and so I want data to prove or disprove that assertion.

I don’t think wanting to know stats about cert issuance belongs in the BRs, we should stick to Security and Compliance topics.  

> > If we create a new section in the BRs for CAA (maybe section,
> > do we need to update the EVGL with a reference to this so EV
> > certificates need to comply, or is everything in the BRs also assumed
> > for EVGL?
> The latter. Baseline Requirements apply to all certificate issuance.

OK, then the EGVLs could be massively cleaned up to remove all the references to the BRs because they are redundant.

Btw, as the 2 specifications  sit now, dNSNames in EV certs can be validated using "any other method".  Not that anyone would do that....

> Gerv

More information about the Public mailing list