[cabfpub] Voting has started on Ballot 21 - CAA Discovery CNAME Errata
Josh Aas
josh at letsencrypt.org
Thu Sep 21 03:33:36 UTC 2017
Let's Encrypt votes YES
On Wed, Sep 20, 2017 at 7:54 PM, Kirk Hall via Public
<public at cabforum.org> wrote:
> Voting has started on Ballot 214 – CAA Discovery CNAME Errata.
>
>
>
> Technically, the Discussion period ended at 22:00 UTC today (which was 3:00
> pm Pacific Time). Josh, as the Proposer of the Ballot, accepted Gerv and
> Tim’s email suggestion as to a 3-month transition period, but this
> acceptance occurred at 5:05 pm Pacific Time, two hours after the end of the
> discussion period. Also, we don’t have specific amendment language to
> consider, only a concept.
>
>
>
> Regrettably, I think it’s too late for this transition period amendment, so
> we are voting on Ballot 214 as originally proposed (see below). If there is
> a need for a transition period, I think it’s best if it’s proposed by a
> separate ballot with specific language.
>
>
>
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jacob
> Hoffman-Andrews via Public
> Sent: Wednesday, September 13, 2017 2:31 PM
> To: CABFPub <public at cabforum.org>
> Subject: [EXTERNAL][cabfpub] Ballot 214: CAA Discovery CNAME Errata
>
>
>
> Kicking off the official discussion period for ballot 214 today per
> discussion with Phillip.
>
>
>
> The following motion has been proposed by Phillip Hallam-Baker of Comodo
> Group Inc. and endorsed by Gervase Markham of Mozilla and Mads Egil
> Henriksveen of Buypass.
>
> -- MOTION BEGINS --
>
> In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records
>
> Strike:
>
> As part of the issuance process, the CA MUST check for a CAA record for each
> dNSName in the subjectAltName extension of the certificate to be issued,
> according to the procedure in RFC 6844, following the processing
> instructions set down in RFC 6844 for any records found. If the CA issues,
> they MUST do so within the TTL of the CAA record, or 8 hours, whichever is
> greater.
>
> Replace with:
>
> As part of the issuance process, the CA MUST check for CAA records and
> follow the processing instructions for any records found, for each dNSName
> in the subjectAltName extension of the certificate to be issued, as
> specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA
> issues, they MUST do so within the TTL of the CAA record, or 8 hours,
> whichever is greater.
>
>
> In the Baseline Requirements ADD an Appendix A that reads:
>
> Appendix A -- RFC6844 Errata 5065
>
> The following errata report has been held for document update for RFC6844,
> "DNS Certification Authority Authorization (CAA) Resource Record".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5065
>
> --------------------------------------
> Status: Held for Document Update
> Type: Technical
>
> Reported by: Phillip Hallam-Baker <philliph at comodo.com> Date Reported:
> 2017-07-10 Held by: EKR (IESG)
>
> Section: 4
>
> Original Text
> -------------
> Let CAA(X) be the record set returned in response to performing a CAA
> record query on the label X, P(X) be the DNS label immediately above
> X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
> alias record specified at the label X.
>
> o If CAA(X) is not empty, R(X) = CAA (X), otherwise
>
> o If A(X) is not null, and R(A(X)) is not empty, then R(X) =
> R(A(X)), otherwise
>
> o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
>
> o R(X) is empty.
>
> Corrected Text
> --------------
> Let CAA(X) be the record set returned in response to performing a CAA
> record query on the label X, P(X) be the DNS label immediately above
> X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
> alias record chain specified at the label X.
>
> o If CAA(X) is not empty, R(X) = CAA (X), otherwise
>
> o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
> CAA(A(X)), otherwise
>
> o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
>
> o R(X) is empty.
>
> Thus, when a search at node X returns a CNAME record, the CA will
> follow the CNAME record chain to its target. If the target label
> contains a CAA record, it is returned.
>
> Otherwise, the CA continues the search at
> the parent of node X.
>
> Note that the search does not include the parent of a target of a
> CNAME record (except when the CNAME points back to its own path).
>
> To prevent resource exhaustion attacks, CAs SHOULD limit the length of
> CNAME chains that are accepted. However CAs MUST process CNAME
> chains that contain 8 or fewer CNAME records.
>
> --Motion Ends--
>
> The procedure for approval of this Final Maintenance Guideline ballot is as
> follows (exact start and end times may be adjusted to comply with applicable
> Bylaws and IPR Agreement):
>
> BALLOT 214 Status: Final Maintenance Guideline Start time (22:00 UTC)
> End time (22:00 UTC)
>
> Discussion begins now and ends September 20, 2017 22:00 UTC (7 days)
>
> Vote for approval begins September 20, 2017 22:00 UTC and ends September 27,
> 2017 22:00 UTC (7 days)
>
> If vote approves ballot: Review Period (Chair to send Review Notice) (30
> days). If Exclusion Notice(s) filed, ballot approval is rescinded and PAG to
> be created. If no Exclusion Notices filed, ballot becomes effective at end
> of Review Period. Upon filing of Review Notice by Chair 30 days after
> filing of Review Notice by Chair
>
> From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final
> Maintenance Guideline, such ballot will include a redline or comparison
> showing the set of changes from the Final Guideline section(s) intended to
> become a Final Maintenance Guideline, and need not include a copy of the
> full set of guidelines. Such redline or comparison shall be made against the
> Final Guideline section(s) as they exist at the time a ballot is proposed,
> and need not take into consideration other ballots that may be proposed
> subsequently, except as provided in Bylaw Section 2.3(j).
>
> Votes must be cast by posting an on-list reply to this thread on the Public
> list. A vote in favor of the motion must indicate a clear 'yes' in the
> response. A vote against must indicate a clear 'no' in the response. A vote
> to abstain must indicate a clear 'abstain' in the response. Unclear
> responses will not be counted. The latest vote received from any
> representative of a voting member before the close of the voting period will
> be counted. Voting members are listed here: https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes cast
> by members in the CA category and greater than 50% of the votes cast by
> members in the browser category must be in favor. Quorum is shown on
> CA/Browser Forum wiki. Under Bylaw 2.2(g), at least the required quorum
> number must participate in the ballot for the ballot to be valid, either by
> voting in favor, voting against, or abstaining.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
--
Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA
More information about the Public
mailing list