[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844

Ryan Sleevi sleevi at google.com
Thu Jun 22 19:56:48 UTC 2017


This is consistent with the deployed reality, so I similarly concur with
Peter's view and believe that Phillip's understanding may be a
misunderstanding of the text. Certainly, it would be a breaking change for
deployments to adopt the proposed interpretation, and for that reason,
would be very concerning.

On Thu, Jun 22, 2017 at 2:59 PM, Peter Bowen via Public <public at cabforum.org
> wrote:

> I believe that this is a misreading, based on section 5.3:
>
> 5.3 <https://tools.ietf.org/html/rfc6844#section-5.3>.  CAA issuewild Property
>
>    The issuewild property has the same syntax and semantics as the issue
>    property except that issuewild properties only grant authorization to
>    issue certificates that specify a wildcard domain and issuewild
>    properties take precedence over issue properties when specified.
>    Specifically:
>
>       issuewild properties MUST be ignored when processing a request for
>       a domain that is not a wildcard domain.
>
>       If at least one issuewild property is specified in the relevant
>       CAA record set, all issue properties MUST be ignored when
>       processing a request for a domain that is a wildcard domain.
>
>
> This makes it clear that issue property applies when a wildcard domain is
> processed unless there is an issuewild property.
>
> Thanks,
> Peter
>
> On Jun 22, 2017, at 11:46 AM, Phillip via Public <public at cabforum.org>
> wrote:
>
> It is my understanding that the text as drafted prohibits issue of a
> wildcard certificate if the record set only contains issue records and
> issue
> of a non wildcard certificate if the record set only contains issuewild
> records.
>
> My reasoning is as follows:
>
> The relevant parts of the specification are:
>
> 4.  Certification Authority Processing
>
>   Before issuing a certificate, a compliant CA MUST check for
>   publication of a relevant CAA Resource Record set.  If such a record
>   set exists, a CA MUST NOT issue a certificate unless the CA
>   determines that either (1) the certificate request is consistent with
>   the applicable CAA Resource Record set or (2) an exception specified
>   in the relevant Certificate Policy or Certification Practices
>   Statement applies.
>
>   A certificate request MAY specify more than one domain name and MAY
>   specify wildcard domains.  Issuers MUST verify authorization for all
>   the domains and wildcard domains specified in the request.
>
> 3.  The CAA RR Type
>
>   issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property
>      entry authorizes the holder of the domain name <Issuer Domain
>      Name> or a party acting under the explicit authority of the holder
>      of that domain name to issue certificates for the domain in which
>      the property is published.
>
>   issuewild <Issuer Domain Name> [; <name>=<value> ]* :  The issuewild
>      property entry authorizes the holder of the domain name <Issuer
>      Domain Name> or a party acting under the explicit authority of the
>      holder of that domain name to issue wildcard certificates for the
>      domain in which the property is published.
>
>
> Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is
> consistent'
>
> If we were to interpret 'is consistent' as meaning that the absence of an
> authorization record implies authorization than the whole specification
> becomes meaningless. The argument made that silence on issue permits
> issuewild would apply just as well to issue.
>
>
> Proposed resolution:
>
> I do not believe that the text as written is ambiguous. However, 'out of an
> abundance of caution and to eliminate any possible doubt, I propose an
> errata to read as follows:
>
> Existing text
>
> 4.  Certification Authority Processing
>
>   Before issuing a certificate, a compliant CA MUST check for
>   publication of a relevant CAA Resource Record set.  If such a record
>   set exists, a CA MUST NOT issue a certificate unless the CA
>   determines that either (1) the certificate request is consistent with
>   the applicable CAA Resource Record set or (2) an exception specified
>   in the relevant Certificate Policy or Certification Practices
>   Statement applies.
>
> Replacement text
>
> 4.  Certification Authority Processing
>
>   Before issuing a certificate, a compliant CA MUST check for
>   publication of a relevant CAA Resource Record set.  If such a record
>   set exists, a CA MUST NOT issue a certificate unless the CA
>   determines that either (1) the certificate request is consistent with
>   and explicitly authorized by the applicable CAA Resource Record
>   set or (2) an exception specified in the relevant Certificate Policy
>   or Certification Practices Statement applies.
>
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] On Behalf Of philliph---
> via Public
> Sent: Thursday, June 22, 2017 10:47 AM
> To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844
>
> It was certainly the intention that presence of an issue prevents issue of
> wildcard certs.
>
> I will re-read that section and report.
>
> Meanwhile, I have had some comment on the discovery fixup and will rev
> that.
>
>
> On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public
>
> <public at cabforum.org> wrote:
>
>
> On 22/06/17 06:42, y-iida--- via Public wrote:
>
> <C> Likewise, when there are some relevant CAA records, but no CAA
> with "issuewild" property tag at all for a certificate domain, we
> will issue wildcard certificate for that domain.
>
>
> You should read RFC6844 carefully, but to my understanding, this is
> incorrect. If there is an "issue" property but no "issuewild"
> property, then the "issue" property also controls the issuance of wildcard
>
> certs.
>
> So you need to respect it in that case.
>
> Gerv
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170622/a05799f3/attachment-0002.html>


More information about the Public mailing list