[Servercert-wg] Seeking endorsers: Draft ballot to sunset the CAA exception

[Ryan Sleevi]

I'm looking for endorsers to a draft ballot to sunset the CAA exception
afforded to DNS operators.

You can see the proposed language is available at
https://github.com/cabforum/servercert/compare/main...sleevi:caa_exception

The motivation is fairly simple: In looking at CA practices and CA
incidents, the current implementation introduces significant risk in terms
of CA's understanding the requirements and appropriately implementing them.

The logic involved in determining whether or not the CA is the DNS Operator
is quite complex, and requires a thorough knowledge of DNS protocols. In
practice, what we've seen is CAs simply self-attesting that they are the
DNS Operator, and not implementing those checks as required, which then
further leads to non-compliance incidents that CAA can and would have
prevented.

Given that it's now been several years of CAA, and we've seen it already
used to enhance and improve our validation methods, requiring a consistent
checking of CAA (with the exception of technically-constrained sub-CAs or
when the CA has already logged a pre-certificate) seems like a reasonable
balance.

The CT Log exception is also tricky, and so it may be worth revisiting
whether it's necessary, but this ballot doesn't do that yet.

The sunset proposed is three months from now (give or take), which was
chosen because the actual use/reliance upon this exception is quite rare,
and the CAs that currently rely on it already have some form of CAA
checking implemented, to the best of my knowledge. If there are concerns
with the timeline, concrete details, as always, are welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210407/8e7c1163/attachment.html>