[Servercert-wg] Voting Begins for Ballot SC46: Sunset the CAA exception for DNS Operator

Chema Lopez clopez at firmaprofesional.com
Tue Jun 1 15:38:23 UTC 2021


Firmaprofesional votes YES on Ballot SC46: Sunset the CAA exception for DNS
Operator



*Chema López*

Director Área Innovación, Cumplimiento y Tecnología

+34 666 429 224






*Barcelona  *Av. Torre Blanca 57, Edif. Esadecreapolis, Local 3B6 - 08173
Sant Cugat del Vallès | +34 934 774 245

*Madrid  *C/ Velázquez 59, 1º Ctro-Izda. - 28001 Madrid | +34 915 762 181


www.firmaprofesional.com



*El contenido de este correo electrónico y de sus anexos es confidencial.
Si usted recibe este mensaje por error, debe saber que está prohibido hacer
uso, divulgación y/o copia del mismo. En tal caso le agradeceríamos que
advierta de inmediato a su remitente y que proceda a destruir el mensaje.*



*Le informamos que, cumpliendo la normativa en materia de protección de
datos, FIRMAPROFESIONAL tratará sus datos con la finalidad de garantizar
las relaciones con la empresa, entidad u organización a la que usted
representa o en la que trabaja y por el período que dure dicha
relación. Podrá ejercer sus derechos de acceso, rectificación, supresión,
limitación, portabilidad y oposición al tratamiento ante el Responsable:
FIRMAPROFESIONAL, S.A., Av. Torre Blanca, 57, local 3B6 (Edificio
Esadecreapolis), 08173 Sant Cugat del Vallès (Barcelona), o bien mediante
correo electrónico a: rgpd at firmaprofesional.com
<rgpd at firmaprofesional.com>, en cualquier caso adjuntando una copia de su
D.N.I. o documento equivalente. Asimismo, podrá formular reclamaciones ante
la Agencia Española de Protección de Datos. Para más información puede
consultar nuestra política de privacidad
<https://www.firmaprofesional.com/esp/aviso-legal>.*


On Wed, 26 May 2021 at 16:00, Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> This email begins the voting period for Ballot SC46: Sunset the CAA
> exception for DNS operator
>
> Purpose of Ballot:
>
> This Ballot addresses security issues with Section 3.2.2.8 regarding CAA
> checking.
>
> Currently, Section 3.2.2.8 permits a CA to bypass CAA checking if the CA
> or an Affiliate of the CA is the DNS Operator. This term is referred to
> through RFC 7719, and involves a precise technical definition regarding how
> a zone's authoritative servers are configured and expressed (e.g. NS
> records). While this allows a CA to skip looking up the CAA record, it does
> not absolve them of the need to look up these other records on every
> issuance.
>
> As practiced by CAs, this has clearly caused some confusion. For example,
> some CAs have incorrectly implemented policies that determine they're
> authoritative based on self-assertion that they are authoritative, which is
> not consistent with the current requirements.
>
> To avoid these issues, this sunsets the CAA exception on 2021-07-01 for
> the DNS Operator, simplifying the requirements and reducing ambiguities for
> CAs performing validation.
>
> The following motion has been proposed by Ryan Sleevi of Google and
> endorsed by Ben Wilson of Mozilla and Jacob Hoffman-Andrews of ISRG/Let's
> Encrypt.
>
> It can be viewed on GitHub as
> https://github.com/cabforum/servercert/pull/271
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 1.7.4:
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
>
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed
>
> -- MOTION ENDS --
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2021-05-13 20:00:00 UTC
> End Time: 2021-05-26 14:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2021-05-26 14:00:00 UTC
> End Time: TBD
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210601/18b99f96/attachment-0001.html>


More information about the Servercert-wg mailing list