[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844

Peter Bowen pzb at amzn.com
Thu Jun 22 18:59:06 UTC 2017


I believe that this is a misreading, based on section 5.3:

5.3 <https://tools.ietf.org/html/rfc6844#section-5.3>.  CAA issuewild Property

   The issuewild property has the same syntax and semantics as the issue
   property except that issuewild properties only grant authorization to
   issue certificates that specify a wildcard domain and issuewild
   properties take precedence over issue properties when specified.
   Specifically:

      issuewild properties MUST be ignored when processing a request for
      a domain that is not a wildcard domain.

      If at least one issuewild property is specified in the relevant
      CAA record set, all issue properties MUST be ignored when
      processing a request for a domain that is a wildcard domain.

This makes it clear that issue property applies when a wildcard domain is processed unless there is an issuewild property.

Thanks,
Peter

> On Jun 22, 2017, at 11:46 AM, Phillip via Public <public at cabforum.org> wrote:
> 
> It is my understanding that the text as drafted prohibits issue of a
> wildcard certificate if the record set only contains issue records and issue
> of a non wildcard certificate if the record set only contains issuewild
> records.
> 
> My reasoning is as follows:
> 
> The relevant parts of the specification are:
> 
> 4.  Certification Authority Processing
> 
>   Before issuing a certificate, a compliant CA MUST check for
>   publication of a relevant CAA Resource Record set.  If such a record
>   set exists, a CA MUST NOT issue a certificate unless the CA
>   determines that either (1) the certificate request is consistent with
>   the applicable CAA Resource Record set or (2) an exception specified
>   in the relevant Certificate Policy or Certification Practices
>   Statement applies.
> 
>   A certificate request MAY specify more than one domain name and MAY
>   specify wildcard domains.  Issuers MUST verify authorization for all
>   the domains and wildcard domains specified in the request.
> 
> 3.  The CAA RR Type
> 
>   issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property
>      entry authorizes the holder of the domain name <Issuer Domain
>      Name> or a party acting under the explicit authority of the holder
>      of that domain name to issue certificates for the domain in which
>      the property is published.
> 
>   issuewild <Issuer Domain Name> [; <name>=<value> ]* :  The issuewild
>      property entry authorizes the holder of the domain name <Issuer
>      Domain Name> or a party acting under the explicit authority of the
>      holder of that domain name to issue wildcard certificates for the
>      domain in which the property is published.
> 
> 
> Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is
> consistent'
> 
> If we were to interpret 'is consistent' as meaning that the absence of an
> authorization record implies authorization than the whole specification
> becomes meaningless. The argument made that silence on issue permits
> issuewild would apply just as well to issue. 
> 
> 
> Proposed resolution:
> 
> I do not believe that the text as written is ambiguous. However, 'out of an
> abundance of caution and to eliminate any possible doubt, I propose an
> errata to read as follows:
> 
> Existing text
> 
> 4.  Certification Authority Processing
> 
>   Before issuing a certificate, a compliant CA MUST check for
>   publication of a relevant CAA Resource Record set.  If such a record
>   set exists, a CA MUST NOT issue a certificate unless the CA
>   determines that either (1) the certificate request is consistent with
>   the applicable CAA Resource Record set or (2) an exception specified
>   in the relevant Certificate Policy or Certification Practices
>   Statement applies.
> 
> Replacement text
> 
> 4.  Certification Authority Processing
> 
>   Before issuing a certificate, a compliant CA MUST check for
>   publication of a relevant CAA Resource Record set.  If such a record
>   set exists, a CA MUST NOT issue a certificate unless the CA
>   determines that either (1) the certificate request is consistent with
>   and explicitly authorized by the applicable CAA Resource Record 
>   set or (2) an exception specified in the relevant Certificate Policy 
>   or Certification Practices Statement applies.
> 
> 
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of philliph---
> via Public
> Sent: Thursday, June 22, 2017 10:47 AM
> To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion
> List <public at cabforum.org>
> Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844
> 
> It was certainly the intention that presence of an issue prevents issue of
> wildcard certs.
> 
> I will re-read that section and report.
> 
> Meanwhile, I have had some comment on the discovery fixup and will rev that.
> 
> 
>> On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public
> <public at cabforum.org> wrote:
>> 
>> On 22/06/17 06:42, y-iida--- via Public wrote:
>>> <C> Likewise, when there are some relevant CAA records, but no CAA 
>>> with "issuewild" property tag at all for a certificate domain, we 
>>> will issue wildcard certificate for that domain.
>> 
>> You should read RFC6844 carefully, but to my understanding, this is 
>> incorrect. If there is an "issue" property but no "issuewild" 
>> property, then the "issue" property also controls the issuance of wildcard
> certs.
>> So you need to respect it in that case.
>> 
>> Gerv
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170622/c8119781/attachment-0003.html>


More information about the Public mailing list