[Servercert-wg] Ballot SC 13 version 3

Doug Beattie doug.beattie at globalsign.com
Tue Dec 4 13:23:12 MST 2018

I’m not totally understanding the Assumptions:

$ORIGIN example.com <http://example.com> 

. CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain CAA 0 issue "ca.example.net <http://ca.example.net> "


I’m assuming you were using 2 records like this:

example.com CAA 0 contactemail "domainowner at example.com"

subdomain.example.com CAA 0 issuewild test.ca


But, I understand your point.

*	When you’re looking for email addresses in subdomain.example.com and you encounter a non-empty CAA record set (with no contactemail), you’re obligated to stop processing further.  
*	If you do a new CAA look-up for the ADN example.com, then you will find contactemail and you can use that.


Are the issue, issuewild or iodef records processed other than for existence as described above?   If you assume:

subdomain.example.com CAA 0 contactemail "domainowner at example.com"

subdomain.example.com CAA 0 issuewild test.ca

then can only test.ca use the contactemail?  I’m assuming that any CA can validate this domain (and issuance would fail later for any CA other than test.ca)




From: Ryan Sleevi <sleevi at google.com> 
Sent: Tuesday, December 4, 2018 2:40 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>; servercert-wg at cabforum.org
Subject: Re: [Servercert-wg] Ballot SC 13 version 3



On Tue, Dec 4, 2018 at 2:27 PM Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:

I was out last week, so sorry for not commenting.


1.	There is only one ADN per validation, but there may be multiple ADNs candidates for any specified FQDN.  There are 2 in Ryan’s example and a CA might let the user select which one they want to use per FQDN.



2.	The validation done on the ADN is reusable (per the note) for other domain validations for that Applicant.

Correct, provided both domains "choose" (CA or Applicant) the same ADN, then one can reuse the validation of the ADN from the first FQDN as validation of the ADN for the second FQDN.


2.	There is no relationship or processing of issue or issuewild CAA records when performing domain validation defined in method 13 or 14.

No, not correct. The algorithm is defined in terms of RFC 6844 (as amended ...), Section 4. This is intentionally to avoid this misinterpretation. If there is a CAA record present, and has any property tag - which would include issue, issuewild, *as well as* iodef and any subsequently introduced properties - then that constitutes the CAA record set


If we assume the following:

$ORIGIN example.com <http://example.com> 

. CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain CAA 0 issue "ca.example.net <http://ca.example.net> "


* Verifying FQDN "subdomain.example.com <http://subdomain.example.com> " with an ADN of "subdomain.example.com <http://subdomain.example.com> "



* Verifying FQDN "subdomain.example.com <http://subdomain.example.com> " with an ADN of "example.com <http://example.com> "

* Verifying FQDN "example.com <http://example.com> " with an ADN of "example.com <http://example.com> "


The reason why the ADN of "subdomain.example.com <http://subdomain.example.com> " is NOT PERMITTED is because CAA("subdomain.example.com <http://subdomain.example.com> "), as defined in Section 4, returns only "issue" property, and thus lacks contact email.

However, as shown by PERMITTED, you "work around" this by using the ADN of example.com <http://example.com> .


This may seem a little counter-intuitive, but it ensures there is one uniform approach for looking up CAA records, as defined in the RFC. For this specific case (contactemail), because it's being used in verification, the CA can "work around" the limitation by choosing the ADN. This is, however, no different from any of our other approaches to validating domain control - if a method fails for a given ADN (for example, no WHOIS service for 'subdomain.example.com <http://subdomain.example.com> '), then you can continue walking up to try other ADNs.


Does that make sense?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/f2dd15e6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5716 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/f2dd15e6/attachment-0001.p7s>

More information about the Servercert-wg mailing list