[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844
Peter Bowen
pzb at amzn.com
Thu Jun 22 18:59:06 UTC 2017
I believe that this is a misreading, based on section 5.3:
5.3 <https://tools.ietf.org/html/rfc6844#section-5.3>. CAA issuewild Property
The issuewild property has the same syntax and semantics as the issue
property except that issuewild properties only grant authorization to
issue certificates that specify a wildcard domain and issuewild
properties take precedence over issue properties when specified.
Specifically:
issuewild properties MUST be ignored when processing a request for
a domain that is not a wildcard domain.
If at least one issuewild property is specified in the relevant
CAA record set, all issue properties MUST be ignored when
processing a request for a domain that is a wildcard domain.
This makes it clear that issue property applies when a wildcard domain is processed unless there is an issuewild property.
Thanks,
Peter
> On Jun 22, 2017, at 11:46 AM, Phillip via Public <public at cabforum.org> wrote:
>
> It is my understanding that the text as drafted prohibits issue of a
> wildcard certificate if the record set only contains issue records and issue
> of a non wildcard certificate if the record set only contains issuewild
> records.
>
> My reasoning is as follows:
>
> The relevant parts of the specification are:
>
> 4. Certification Authority Processing
>
> Before issuing a certificate, a compliant CA MUST check for
> publication of a relevant CAA Resource Record set. If such a record
> set exists, a CA MUST NOT issue a certificate unless the CA
> determines that either (1) the certificate request is consistent with
> the applicable CAA Resource Record set or (2) an exception specified
> in the relevant Certificate Policy or Certification Practices
> Statement applies.
>
> A certificate request MAY specify more than one domain name and MAY
> specify wildcard domains. Issuers MUST verify authorization for all
> the domains and wildcard domains specified in the request.
>
> 3. The CAA RR Type
>
> issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property
> entry authorizes the holder of the domain name <Issuer Domain
> Name> or a party acting under the explicit authority of the holder
> of that domain name to issue certificates for the domain in which
> the property is published.
>
> issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild
> property entry authorizes the holder of the domain name <Issuer
> Domain Name> or a party acting under the explicit authority of the
> holder of that domain name to issue wildcard certificates for the
> domain in which the property is published.
>
>
> Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is
> consistent'
>
> If we were to interpret 'is consistent' as meaning that the absence of an
> authorization record implies authorization than the whole specification
> becomes meaningless. The argument made that silence on issue permits
> issuewild would apply just as well to issue.
>
>
> Proposed resolution:
>
> I do not believe that the text as written is ambiguous. However, 'out of an
> abundance of caution and to eliminate any possible doubt, I propose an
> errata to read as follows:
>
> Existing text
>
> 4. Certification Authority Processing
>
> Before issuing a certificate, a compliant CA MUST check for
> publication of a relevant CAA Resource Record set. If such a record
> set exists, a CA MUST NOT issue a certificate unless the CA
> determines that either (1) the certificate request is consistent with
> the applicable CAA Resource Record set or (2) an exception specified
> in the relevant Certificate Policy or Certification Practices
> Statement applies.
>
> Replacement text
>
> 4. Certification Authority Processing
>
> Before issuing a certificate, a compliant CA MUST check for
> publication of a relevant CAA Resource Record set. If such a record
> set exists, a CA MUST NOT issue a certificate unless the CA
> determines that either (1) the certificate request is consistent with
> and explicitly authorized by the applicable CAA Resource Record
> set or (2) an exception specified in the relevant Certificate Policy
> or Certification Practices Statement applies.
>
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of philliph---
> via Public
> Sent: Thursday, June 22, 2017 10:47 AM
> To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844
>
> It was certainly the intention that presence of an issue prevents issue of
> wildcard certs.
>
> I will re-read that section and report.
>
> Meanwhile, I have had some comment on the discovery fixup and will rev that.
>
>
>> On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public
> <public at cabforum.org> wrote:
>>
>> On 22/06/17 06:42, y-iida--- via Public wrote:
>>> <C> Likewise, when there are some relevant CAA records, but no CAA
>>> with "issuewild" property tag at all for a certificate domain, we
>>> will issue wildcard certificate for that domain.
>>
>> You should read RFC6844 carefully, but to my understanding, this is
>> incorrect. If there is an "issue" property but no "issuewild"
>> property, then the "issue" property also controls the issuance of wildcard
> certs.
>> So you need to respect it in that case.
>>
>> Gerv
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170622/c8119781/attachment-0002.html>
More information about the Public
mailing list