[cabfpub] Notice of Review Period - Ballot 214 - CAA Discovery CNAME Errata

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Sep 27 22:56:31 UTC 2017


NOTICE OF REVIEW PERIOD - BALLOT 214

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's Intellectual Property Rights Policy (v1.2).  This Review Period is for Final Maintenance Guidelines (30 day Review Period).  A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.

Date Review Notice Sent:        September 27, 2017

Ballot for Review:                    Ballot 214 - CAA Discovery CNAME Errata

Start of Review Period:           September 27, 2017 at 23:00 UTC

End of Review Period:             October 27, 2017 at 23:00 UTC

Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to kirk.hall at entrustdatacard.com<mailto:kirk.hall at entrustdatacard.com> before the end of the Review Period.  See current version of CA/Browser Forum Intellectual Property Rights Policy for details.

(Optional form of Exclusion Notice is attached)


Ballot 214 - CAA Discovery CNAME Errata



-- MOTION BEGINS --

In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records

Strike:

As part of the issuance process, the CA MUST check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844, following the processing instructions set down in RFC 6844 for any records found. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

Replace with:

As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.


In the Baseline Requirements ADD an Appendix A that reads:

Appendix A -- RFC6844 Errata 5065

The following errata report has been held for document update for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--------------------------------------
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker <philliph at comodo.com<mailto:philliph at comodo.com>> Date Reported: 2017-07-10 Held by: EKR (IESG)

Section: 4

Original Text
-------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
      R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--------------
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
      CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label
  contains a CAA record, it is returned.

  Otherwise, the CA continues the search at
  the parent of node X.

  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).

  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

--Motion Ends--


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170927/9a3f7f89/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot 214 Review Notice and Exclusion Notice Template.pdf
Type: application/pdf
Size: 526909 bytes
Desc: Ballot 214 Review Notice and Exclusion Notice Template.pdf
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170927/9a3f7f89/attachment-0002.pdf>


More information about the Public mailing list