[Servercert-wg] Ballot SC 13 version 3

Ryan Sleevi sleevi at google.com
Tue Dec 4 13:55:28 MST 2018 

On Tue, Dec 4, 2018 at 3:23 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> I’m assuming you were using 2 records like this:
>
> example.com CAA 0 contactemail "domainowner at example.com"
>
> subdomain.example.com CAA 0 issuewild test.ca
>

Sure

But, I understand your point.
>
>    - When you’re looking for email addresses in subdomain.example.com and
>    you encounter a non-empty CAA record set (with no contactemail), you’re
>    obligated to stop processing further.
>    - If you do a new CAA look-up for the ADN example.com, then you will
>    find contactemail and you can use that.
>
> Correct.


> Are the issue, issuewild or iodef records processed other than for
> existence as described above?   If you assume:
>
> subdomain.example.com CAA 0 contactemail "domainowner at example.com"
>
> subdomain.example.com CAA 0 issuewild test.ca
>
> then can only test.ca use the contactemail?  I’m assuming that any CA can
> validate this domain (and issuance would fail later for any CA other than
> test.ca)
>

I'm not sure I fully understand your question. As described, this would put
a restriction on wildcard issuance (issuewild), but NOT put a restriction
on general issuance, and thus potentially any CA could use the email method
for non-wildcard issuance.

This is why I suggested providing illustrative guidance for the
expectations ('unit tests'), if you will:

subdomain.example.com CAA 0 contactemail "domainowner at example.com"
example.com CAA 0 issue "ca.test"

In this model:
1) Any CA can issue for "subdomain.example.com" using ADN of "
subdomain.example.com" or an ADN of "example.com"
  * This is because CAA(subdomain.example.com) lacks an "issue" or
"issuewild" property
  * CAA is looked up by FQDN, not ADN - this is intentional to allow
more-specific rules to override
2) Certificates for any domain *but* "subdomain.example.com" are only
authorized for "ca.test"

If they wanted to restrict *all* certificates to "ca.test", they'd have to
subdomain.example.com CAA 0 contactemail "domainowner at example.com"
subdomain.example.com CAA 0 issue "ca.test"
example.com CAA 0 issue "ca.test"

Then only "ca.test" can issue, and they can use any validation method that
works, including draft method 13 (CAA).

Did that answer your question (in a roundabout way?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/49d4aff4/attachment.html>

More information about the Servercert-wg mailing list