[Servercert-wg] Clarification of CAA requirements for onion certificates

Ryan Sleevi sleevi at google.com
Tue Jan 26 19:57:42 UTC 2021


Yeah, I think Neil's on the money.

I filed https://github.com/cabforum/servercert/issues/242 so we don't
forget, and I've been tracking a cluster of .onion fixes (
https://github.com/cabforum/servercert/issues/191 ,
https://github.com/cabforum/servercert/issues/190 ,
https://github.com/cabforum/servercert/issues/240 ) to tackle after
pandocification.

On Tue, Jan 26, 2021 at 12:26 PM Neil Dunbar via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Wouldn't that be covered by
>
> "CAs are permitted to treat a record lookup failure as permission to issue
> if:
>
> • the failure is outside the CA’s infrastructure; and
>
> • the lookup has been retried at least once; and
>
> • the domain’s zone does not have a DNSSEC validation chain to the ICANN
> root."
>
> The DNS lookup would fail with NXDOMAIN, and the failure probably isn't in
> the CA's infrastructure, and if the DNS lookup failed, that would also
> indicate that no valid DNSSEC chain exists (at least, I don't see DS
> records for onion in the root zone). I guess to be 100% sure, you'd need to
> perform the lookup at least twice.
>
> I guess that, since issuance requirements for onion is specifically carved
> out in Appendix B, it might make sense to carve out an explicit exception
> for that domain. Although if in a future revision of the technology, CAA
> policies could be expressed for onion addresses, I think we'd want to see
> those policies honoured, no?
>
> Just some thoughts,
>
> Neil
>
> On 26/01/2021 10:08, Dimitris Zacharopoulos (HARICA) via Servercert-wg
> wrote:
>
> Dear Members,
>
> I was doing a review of CAA requirements in the BRs. Unless I am missing
> something, section 3.2.2.8 seems to enforce the CAA check for all
> certificate types, including onion certificates. I believe there should be
> an exemption for onion certificates since they do not use the DNS that
> chains to the ICANN root.
>
> Do others feel that we need to clarify this further in the BRs either in
> section 3.2.2.8 or in Appendix B?
>
>
> Thank you,
> Dimitris.
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210126/0405c58d/attachment.html>


More information about the Servercert-wg mailing list