[Servercert-wg] Ballot SC 13 version 3

Doug Beattie doug.beattie at globalsign.com
Tue Dec 4 14:30:41 MST 2018 

I’m getting more “correct” and “sure” responses, so that’s good.  Just one last item.

 

Let me ask this question again.  Are the issue, issuewild or iodef records processed other than for existence?   If we assume:

subdomain.example.com <http://subdomain.example.com>  CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain.example.com <http://subdomain.example.com>  CAA 0 issue test.ca <http://test.ca> 

When example.ca is attempting to perform domain validation for subdomain.example.com, are they permitted to validate the domain?  I understand this will fail later during issuance, but the question is: Is the CA required to look at and process the other CAA records when doing domain validation?  I’m assuming that the issue and issuewild are only used for issuance (as their name implies).  I just wanted to be sure that the domain validation process didn’t need to take these records into account to permit or block domain validation.

 

 

 

From: Ryan Sleevi <sleevi at google.com> 
Sent: Tuesday, December 4, 2018 3:55 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>; servercert-wg at cabforum.org
Subject: Re: [Servercert-wg] Ballot SC 13 version 3

 

 

On Tue, Dec 4, 2018 at 3:23 PM Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:

I’m assuming you were using 2 records like this:

example.com <http://example.com>  CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain.example.com <http://subdomain.example.com>  CAA 0 issuewild test.ca <http://test.ca> 

 

Sure

 

But, I understand your point.

*	When you’re looking for email addresses in subdomain.example.com <http://subdomain.example.com>  and you encounter a non-empty CAA record set (with no contactemail), you’re obligated to stop processing further.  
*	If you do a new CAA look-up for the ADN example.com <http://example.com> , then you will find contactemail and you can use that.

Correct.

 

Are the issue, issuewild or iodef records processed other than for existence as described above?   If you assume:

subdomain.example.com <http://subdomain.example.com>  CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain.example.com <http://subdomain.example.com>  CAA 0 issuewild test.ca <http://test.ca> 

then can only test.ca <http://test.ca>  use the contactemail?  I’m assuming that any CA can validate this domain (and issuance would fail later for any CA other than test.ca <http://test.ca> )

 

I'm not sure I fully understand your question. As described, this would put a restriction on wildcard issuance (issuewild), but NOT put a restriction on general issuance, and thus potentially any CA could use the email method for non-wildcard issuance.

 

This is why I suggested providing illustrative guidance for the expectations ('unit tests'), if you will:

 

subdomain.example.com <http://subdomain.example.com>  CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

example.com <http://example.com>  CAA 0 issue "ca.test"

 

In this model:

1) Any CA can issue for "subdomain.example.com <http://subdomain.example.com> " using ADN of "subdomain.example.com <http://subdomain.example.com> " or an ADN of "example.com <http://example.com> "

  * This is because CAA(subdomain.example.com <http://subdomain.example.com> ) lacks an "issue" or "issuewild" property

  * CAA is looked up by FQDN, not ADN - this is intentional to allow more-specific rules to override

2) Certificates for any domain *but* "subdomain.example.com <http://subdomain.example.com> " are only authorized for "ca.test"

 

If they wanted to restrict *all* certificates to "ca.test", they'd have to

subdomain.example.com <http://subdomain.example.com>  CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain.example.com <http://subdomain.example.com>  CAA 0 issue "ca.test"

example.com <http://example.com>  CAA 0 issue "ca.test"

 

Then only "ca.test" can issue, and they can use any validation method that works, including draft method 13 (CAA). 

 

Did that answer your question (in a roundabout way?)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/5ff02337/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5716 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/5ff02337/attachment-0001.p7s>

More information about the Servercert-wg mailing list