[cabfpub] CAA Customer Identifier

Jeremy Rowley jeremy.rowley at digicert.com
Mon May 15 19:33:05 UTC 2017

Yes – thanks! I didn’t realize you could have CA specific properties.


From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Monday, May 15, 2017 12:59 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: Re: [cabfpub] CAA Customer Identifier




You can extend the CAA syntax with issuer-specific properties. Do you think it makes sense to first experiment with this deployment, and then subsequently report back?


Namely, the syntax for the issue property tag is


issue <Issuer Domain Name> [; <name>=<value> ]*


The '<name>=<value>" portion allows you to define CA-specific properties without the registration of additional tags. For example, your 'customer ID' tag is clearly CA specific, while 'validation method' could be generic (if applied to the BRs) or could be a CA-specific construction (if more rigid than the BRs)


For example, if DigiCert wanted, it could


issue digicert.com <http://digicert.com> ;cid=1234;method=


This syntax is expanded upon in Section 5.2, which includes the following:

   An issuer MAY choose to specify issuer-parameters that further

   constrain the issue of certificates by that issuer, for example,

   specifying that certificates are to be subject to specific validation

   polices, billed to certain accounts, or issued under specific trust



   The semantics of issuer-parameters are determined by the issuer




Does that help?


On Mon, May 15, 2017 at 2:45 PM, Jeremy Rowley via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Although CAA significantly narrows the scope of issuers, a tag identifying the customer/account where issuance permitted would significantly reduce spam domain control emails. Despite CAA limiting issuance of a domain to DigiCert, we may still have a dozen entities trying to request the same domain. In fact, I suspect the number of requested bad domains will increase on our side if a CAA record is present. Although we have methods to control spam validation emails, a bad actor could create accounts and annoy customers hoping the domain is inadvertently approved. To limit this, I’d like to create a CAA tag that is customerID. Something like: 


CAA 0 register “customer ID=[ID provided by CA]”


The requirement in the RFC for creating tags is to register the tag with IANA. I thought I’d float the idea here first though. If there’s interest, we could combine it with a validation method restriction


CAA 0 register “customer ID=[ID provided by CA] validationMethod=[Validation Method OID]”





Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170515/90bbe7fc/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170515/90bbe7fc/attachment-0001.p7s>

More information about the Public mailing list