[cabfpub] Draft CAA motion (4)

Doug Beattie doug.beattie at globalsign.com
Tue Jan 24 21:30:43 UTC 2017

There is a tradeoff between security and usability and I don’t believe any of the points below significantly reduce the security from Gerv’s proposal.

1) Over-riding via Enterprise RA or Certificate Signer:  I’ll let some of my colleagues chime in here.   CAA will be checked when adding the domain to enterprise accounts and that there is a person in a BR defined role representing the company that has signed up for the service to issue certificates.  One concern is that people managing DNS records with limited knowledge about all of the business units agreements with CAs can cause a denial of service.  This is especially an issue for “smaller” CAs that could be locked out of issuance by the larger CAs promoting the addition of their CAA records  with the DNS managers.  Given the lack of CAA records in use today, it’s a concern that has not been realized yet.  Perhaps we could put a sunset date on this as of 1-year after mandatory CAA checking and by then we should have addressed concerns like this via CAs reporting to the CABF on issues like this.

2) 12 hours vs 1 hour: Several people already pointed out reasons for needing more than an hour, namely for the manual issuance process Entrust uses, so a working day seems to align with their needs.  As long as we publish the rules for caching then the domain owners can understand the maximum time it takes for their changes to be applied to new certificate issuance.  I don’t view this 11 hour increase in cache time as a significant security weakness.  Domain owners should plan ahead and update CAA records, a half day should be more than sufficient for this.

3) 24 hour cache time when no CAA records found: Proposed by Symantec, and there were no objections on the list, so I added it.

4) just a clarification to tighten down what this means, hopefully increasing security and decreasing loop-holes.  Gerve acknowledged this might need to be tightened up so I gave it a shot.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Tuesday, January 24, 2017 3:56 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>; Doug Beattie <doug.beattie at globalsign.com>
Subject: Re: [cabfpub] Draft CAA motion (4)

On Tue, Jan 24, 2017 at 12:03 PM, Doug Beattie via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

I’d like to propose a more detailed ballot for making CAA mandatory.  I worked on this with a couple of the CAs in CA Security Council and there is general consensus that we can support this ballot.  The intent is to be as clear as possible because CAs will be audited against this - let's not leave much room for interpretation (RFC 6844 was not precise in several areas).

Key changes from your version:
1) Added this as an exception: The CAA check failed but was subsequently approved by an Enterprise RA or Certificate Approver with knowledge that the CAA check failed.

2) Increased cache time to 12 hours from 1 hour when a CAA record is found

3) Specified a cache time of 24 hours when no CAA record was found

4) Update the exemption for CAs being the DNS provider

Unfortunately, it doesn't seem you've really explained why you've made these changes, nor how they improve security. Your opening suggests it's because of clarity, but none of these seem to bring clarity - they only seem to make it significantly weaker in practice.

Can you share the specific motivations for making these changes, so that the public can be informed why CAs want to be more lax about Internet security?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170124/611e8cc3/attachment-0003.html>

More information about the Public mailing list