[cabfpub] no CAA authorizations -- RFC 6844

Phillip philliph at comodo.com
Thu Jun 22 11:46:36 MST 2017 

It is my understanding that the text as drafted prohibits issue of a
wildcard certificate if the record set only contains issue records and issue
of a non wildcard certificate if the record set only contains issuewild
records.

My reasoning is as follows:

The relevant parts of the specification are:

4.  Certification Authority Processing

   Before issuing a certificate, a compliant CA MUST check for
   publication of a relevant CAA Resource Record set.  If such a record
   set exists, a CA MUST NOT issue a certificate unless the CA
   determines that either (1) the certificate request is consistent with
   the applicable CAA Resource Record set or (2) an exception specified
   in the relevant Certificate Policy or Certification Practices
   Statement applies.

   A certificate request MAY specify more than one domain name and MAY
   specify wildcard domains.  Issuers MUST verify authorization for all
   the domains and wildcard domains specified in the request.

3.  The CAA RR Type

   issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property
      entry authorizes the holder of the domain name <Issuer Domain
      Name> or a party acting under the explicit authority of the holder
      of that domain name to issue certificates for the domain in which
      the property is published.

   issuewild <Issuer Domain Name> [; <name>=<value> ]* :  The issuewild
      property entry authorizes the holder of the domain name <Issuer
      Domain Name> or a party acting under the explicit authority of the
      holder of that domain name to issue wildcard certificates for the
      domain in which the property is published.


Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is
consistent'

If we were to interpret 'is consistent' as meaning that the absence of an
authorization record implies authorization than the whole specification
becomes meaningless. The argument made that silence on issue permits
issuewild would apply just as well to issue. 


Proposed resolution:

I do not believe that the text as written is ambiguous. However, 'out of an
abundance of caution and to eliminate any possible doubt, I propose an
errata to read as follows:

Existing text

4.  Certification Authority Processing

   Before issuing a certificate, a compliant CA MUST check for
   publication of a relevant CAA Resource Record set.  If such a record
   set exists, a CA MUST NOT issue a certificate unless the CA
   determines that either (1) the certificate request is consistent with
   the applicable CAA Resource Record set or (2) an exception specified
   in the relevant Certificate Policy or Certification Practices
   Statement applies.

Replacement text

4.  Certification Authority Processing

   Before issuing a certificate, a compliant CA MUST check for
   publication of a relevant CAA Resource Record set.  If such a record
   set exists, a CA MUST NOT issue a certificate unless the CA
   determines that either (1) the certificate request is consistent with
   and explicitly authorized by the applicable CAA Resource Record 
   set or (2) an exception specified in the relevant Certificate Policy 
   or Certification Practices Statement applies.


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of philliph---
via Public
Sent: Thursday, June 22, 2017 10:47 AM
To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion
List <public at cabforum.org>
Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844

It was certainly the intention that presence of an issue prevents issue of
wildcard certs.

I will re-read that section and report.

Meanwhile, I have had some comment on the discovery fixup and will rev that.


> On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public
<public at cabforum.org> wrote:
> 
> On 22/06/17 06:42, y-iida--- via Public wrote:
>> <C> Likewise, when there are some relevant CAA records, but no CAA 
>> with "issuewild" property tag at all for a certificate domain, we 
>> will issue wildcard certificate for that domain.
> 
> You should read RFC6844 carefully, but to my understanding, this is 
> incorrect. If there is an "issue" property but no "issuewild" 
> property, then the "issue" property also controls the issuance of wildcard
certs.
> So you need to respect it in that case.
> 
> Gerv
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list