[Servercert-wg] Clarification of CAA requirements for onion certificates

[Neil Dunbar]

Wouldn't that be covered by

    "CAs are permitted to treat a record lookup failure as permission to
    issue if:

        • the failure is outside the CA’s infrastructure; and

        • the lookup has been retried at least once; and

        • the domain’s zone does not have a DNSSEC validation chain to
        the ICANN root."

The DNS lookup would fail with NXDOMAIN, and the failure probably isn't 
in the CA's infrastructure, and if the DNS lookup failed, that would 
also indicate that no valid DNSSEC chain exists (at least, I don't see 
DS records for onion in the root zone). I guess to be 100% sure, you'd 
need to perform the lookup at least twice.

I guess that, since issuance requirements for onion is specifically 
carved out in Appendix B, it might make sense to carve out an explicit 
exception for that domain. Although if in a future revision of the 
technology, CAA policies could be expressed for onion addresses, I think 
we'd want to see those policies honoured, no?

Just some thoughts,

Neil

On 26/01/2021 10:08, Dimitris Zacharopoulos (HARICA) via Servercert-wg 
wrote:
> Dear Members,
>
> I was doing a review of CAA requirements in the BRs. Unless I am 
> missing something, section 3.2.2.8 seems to enforce the CAA check for 
> all certificate types, including onion certificates. I believe there 
> should be an exemption for onion certificates since they do not use 
> the DNS that chains to the ICANN root.
>
> Do others feel that we need to clarify this further in the BRs either 
> in section 3.2.2.8 or in Appendix B?
>
>
> Thank you,
> Dimitris.
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210126/e6fcf104/attachment.html>