[Servercert-wg] Voting Begins for Ballot SC46: Sunset the CAA exception for DNS Operator

Wojciech Trapczyński wtrapczynski at certum.pl
Wed Jun 2 10:13:25 UTC 2021


Certum votes YES on ballot SC46.

W dniu 26.05.2021 o 20:30, Ryan Sleevi via Servercert-wg pisze:
> Unfortunately, I realized belatedly that I forgot to clearly indicate 
> the Voting End Time.
> 
> As such, the previous mail did not officially start voting. Thankfully, 

> as no votes were received, I think we can just say I didn't start it 
> correctly?
> 
> Please find the corrected announcement below:
> 
> This email begins the voting period for Ballot SC46: Sunset the CAA 
> exception for DNS operator
> 
> Purpose of Ballot:
> 
> This Ballot addresses security issues with Section 3.2.2.8 regarding CAA 
> checking.
> 
> Currently, Section 3.2.2.8 permits a CA to bypass CAA checking if the CA 
> or an Affiliate of the CA is the DNS Operator. This term is referred to 

> through RFC 7719, and involves a precise technical definition regarding 

> how a zone's authoritative servers are configured and expressed (e.g. NS 
> records). While this allows a CA to skip looking up the CAA record, it 
> does not absolve them of the need to look up these other records on 
> every issuance.
> 
> As practiced by CAs, this has clearly caused some confusion. For 
> example, some CAs have incorrectly implemented policies that determine 
> they're authoritative based on self-assertion that they are 
> authoritative, which is not consistent with the current requirements.
> 
> To avoid these issues, this sunsets the CAA exception on 2021-07-01 for 

> the DNS Operator, simplifying the requirements and reducing ambiguities 

> for CAs performing validation.
> 
> The following motion has been proposed by Ryan Sleevi of Google and 
> endorsed by Ben Wilson of Mozilla and Jacob Hoffman-Andrews of 
> ISRG/Let's Encrypt.
> 
> It can be viewed on GitHub as 
> https://github.com/cabforum/servercert/pull/271 
> <https://github.com/cabforum/servercert/pull/271>
> 
> -- MOTION BEGINS --
> 
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” (“Baseline 
Requirements”), 
> based on Version 1.7.4:
> 
> MODIFY the Baseline Requirements as specified in the following Redline:
> 
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed 
> <https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed>
> 
> -- MOTION ENDS --
> 
> This ballot proposes a Final Maintenance Guideline.
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7+ days)
> 
> Start Time: 2021-05-13 20:00:00 UTC
> End Time: 2021-05-26 14:00:00 UTC
> 
> Vote for approval (7 days)
> 
> Start Time: 2021-05-26 18:30:00 UTC
> End Time: 2021-06-02 18:30:00 UTC
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210602/ce2c2f91/attachment-0001.p7s>


More information about the Servercert-wg mailing list