[cabfpub] no CAA authorizations -- RFC 6844
Phillip
philliph at comodo.com
Thu Jun 22 18:46:36 UTC 2017
It is my understanding that the text as drafted prohibits issue of a
wildcard certificate if the record set only contains issue records and issue
of a non wildcard certificate if the record set only contains issuewild
records.
My reasoning is as follows:
The relevant parts of the specification are:
4. Certification Authority Processing
Before issuing a certificate, a compliant CA MUST check for
publication of a relevant CAA Resource Record set. If such a record
set exists, a CA MUST NOT issue a certificate unless the CA
determines that either (1) the certificate request is consistent with
the applicable CAA Resource Record set or (2) an exception specified
in the relevant Certificate Policy or Certification Practices
Statement applies.
A certificate request MAY specify more than one domain name and MAY
specify wildcard domains. Issuers MUST verify authorization for all
the domains and wildcard domains specified in the request.
3. The CAA RR Type
issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property
entry authorizes the holder of the domain name <Issuer Domain
Name> or a party acting under the explicit authority of the holder
of that domain name to issue certificates for the domain in which
the property is published.
issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild
property entry authorizes the holder of the domain name <Issuer
Domain Name> or a party acting under the explicit authority of the
holder of that domain name to issue wildcard certificates for the
domain in which the property is published.
Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is
consistent'
If we were to interpret 'is consistent' as meaning that the absence of an
authorization record implies authorization than the whole specification
becomes meaningless. The argument made that silence on issue permits
issuewild would apply just as well to issue.
Proposed resolution:
I do not believe that the text as written is ambiguous. However, 'out of an
abundance of caution and to eliminate any possible doubt, I propose an
errata to read as follows:
Existing text
4. Certification Authority Processing
Before issuing a certificate, a compliant CA MUST check for
publication of a relevant CAA Resource Record set. If such a record
set exists, a CA MUST NOT issue a certificate unless the CA
determines that either (1) the certificate request is consistent with
the applicable CAA Resource Record set or (2) an exception specified
in the relevant Certificate Policy or Certification Practices
Statement applies.
Replacement text
4. Certification Authority Processing
Before issuing a certificate, a compliant CA MUST check for
publication of a relevant CAA Resource Record set. If such a record
set exists, a CA MUST NOT issue a certificate unless the CA
determines that either (1) the certificate request is consistent with
and explicitly authorized by the applicable CAA Resource Record
set or (2) an exception specified in the relevant Certificate Policy
or Certification Practices Statement applies.
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of philliph---
via Public
Sent: Thursday, June 22, 2017 10:47 AM
To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion
List <public at cabforum.org>
Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844
It was certainly the intention that presence of an issue prevents issue of
wildcard certs.
I will re-read that section and report.
Meanwhile, I have had some comment on the discovery fixup and will rev that.
> On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public
<public at cabforum.org> wrote:
>
> On 22/06/17 06:42, y-iida--- via Public wrote:
>> <C> Likewise, when there are some relevant CAA records, but no CAA
>> with "issuewild" property tag at all for a certificate domain, we
>> will issue wildcard certificate for that domain.
>
> You should read RFC6844 carefully, but to my understanding, this is
> incorrect. If there is an "issue" property but no "issuewild"
> property, then the "issue" property also controls the issuance of wildcard
certs.
> So you need to respect it in that case.
>
> Gerv
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list