[cabfpub] CAA Customer Identifier

Ryan Sleevi sleevi at google.com
Mon May 15 18:58:55 UTC 2017


Jeremy,

You can extend the CAA syntax with issuer-specific properties. Do you think
it makes sense to first experiment with this deployment, and then
subsequently report back?

Namely, the syntax for the issue property tag is

issue <Issuer Domain Name> [; <name>=<value> ]*

The '<name>=<value>" portion allows you to define CA-specific properties
without the registration of additional tags. For example, your 'customer
ID' tag is clearly CA specific, while 'validation method' could be generic
(if applied to the BRs) or could be a CA-specific construction (if more
rigid than the BRs)

For example, if DigiCert wanted, it could

issue digicert.com;cid=1234;method=1.2.3.4

This syntax is expanded upon in Section 5.2, which includes the following:
   An issuer MAY choose to specify issuer-parameters that further
   constrain the issue of certificates by that issuer, for example,
   specifying that certificates are to be subject to specific validation
   polices, billed to certain accounts, or issued under specific trust
   anchors.

   The semantics of issuer-parameters are determined by the issuer
   alone.


Does that help?

On Mon, May 15, 2017 at 2:45 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> Although CAA significantly narrows the scope of issuers, a tag identifying
> the customer/account where issuance permitted would significantly reduce
> spam domain control emails. Despite CAA limiting issuance of a domain to
> DigiCert, we may still have a dozen entities trying to request the same
> domain. In fact, I suspect the number of requested bad domains will
> increase on our side if a CAA record is present. Although we have methods
> to control spam validation emails, a bad actor could create accounts and
> annoy customers hoping the domain is inadvertently approved. To limit this,
> I’d like to create a CAA tag that is customerID. Something like:
>
>
>
> CAA 0 register “customer ID=[ID provided by CA]”
>
>
>
> The requirement in the RFC for creating tags is to register the tag with
> IANA. I thought I’d float the idea here first though. If there’s interest,
> we could combine it with a validation method restriction
>
>
>
> CAA 0 register “customer ID=[ID provided by CA]
> validationMethod=[Validation Method OID]”
>
>
>
> Jeremy
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170515/bed5ed88/attachment-0003.html>


More information about the Public mailing list