[cabfpub] CAA: clarity on naming CA
Stephen Davidson
S.Davidson at quovadisglobal.com
Thu Sep 7 14:53:05 UTC 2017
Hello:
RFC 6844 is flexible in the type of CA (public, could even be untrusted CA) named in the Property Value:
The issue property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published.
That's simple enough for trusted roots and their own sub CAs. I am interested in input regarding the fringe case of external sub CAs (root signed). The RFC seems to have leeway where the property value could be either the <Issuer Domain Name> of:
a. the trusted root, or
b. the operator of the external subCA.
Initially, to me it seemed appropriate for all sub CAs under the trusted root to name that trusted root. But, the operator of the external sub CA may prefer to use CAA to link their domains to their own sub CA - not the wider hierarchy of the trusted root.
All doable under RFC 6844 - but not so clear what the requirements are under the BR and browser expectations (particularly concerning CPS language). Feedback appreciated.
Best, Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170907/accd4ac2/attachment.html>
More information about the Public
mailing list