[cabfpub] CAA working group description

Jacob Hoffman-Andrews jsha at letsencrypt.org
Tue Oct 10 22:37:28 UTC 2017


On Mon, Oct 9, 2017 at 4:04 PM, Geoff Keating <geoffk at apple.com> wrote:

> I don’t think any of these apply at the IETF level; I’m sure the IETF is
> not going to specify a ‘what if you only wanted a little bit of DNSSEC’
> configuration
>

Why not? If DNSSEC is not deployable in practice by CAs, that's something
the IETF needs to reckon with and include in its specs. We can't allow
DNSSEC deployment problems to become an elephant in the room that nobody
wants to bring to the IETF because there are hard-liners there.

 > I think the IETF RFC should specify fail-closed because that’s the only
fully secure approach

I agree, and I pushed for this when adopting the CAA ballot at CA/Browser
Forum. This is what Let's Encrypt currently implements. However, during
voting on the CAA ballot, some CAs expressed that they couldn't deploy
that, which is why we have an exception for retried failures. This is
exactly why we need those CAs to participate at LAMPS. If deploying
fail-closed CAA is impractical, IETF should acknowledge that and write it
into the next RFC. But that can't happen without LAMPS participation from
CAs that fail open.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171010/e1f5f920/attachment-0003.html>


More information about the Public mailing list