[cabfpub] CAA Exceptions listed in Ballot 187

Doug Beattie doug.beattie at globalsign.com
Thu May 25 15:43:59 UTC 2017 

Ballot 187 makes CAA mandatory starting September 8th and there are 3 exceptions listed which make CAA optional.  Not all of these are clear to me, so I'm looking guidance:

1) CAA checking is optional for certificates for which a Certificate Transparency pre-certificate was created and logged in at least two public logs, and for which CAA was checked.

I understand this one. You do CAA checking then log a pre-cert in 2 logs then you don't need to do it when you issue the certificate.


2) CAA checking is optional for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in Baseline Requirements section 7.1.5, where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant.

I'm not clear on the reference to a contractual provision in the contract with the Applicant.  The Applicant is the natural person or Legal Entity that applies for a Certificate.    Is the Applicant in this case the person applying for the CA certificate or the SSL certificate?

Cutting to the point: If I have a TCSC, how can I take advantage of not doing CAA when issuing SSL certificates for the domains in the NC extension?


3) CAA checking is optional if the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain's DNS.

>From RFC 7719: DNS operator:  An entity responsible for running DNS servers.  For a       zone's authoritative servers, the registrant may act as their own DNS operator, or their registrar may do it on their behalf, or they may use a third-party operator.  For some zones, the registry function is performed by the DNS operator plus other entities who decide about the allowed contents of the zone.

I'm not clear what this means: "the CA is the DNS Operator of the domain's DNS".  We all run DNS servers in our data centers, and this does not state that this must be the Authoritative DNS server, so in what cases does this exception apply?  I'm assuming the CA needs to "own" the domains in question, but how does that fall out of this requirement? 

Doug

More information about the Public mailing list