[Servercert-wg] [EXTERNAL] Re: Voting Begins for Ballot SC46: Sunset the CAA exception for DNS Operator
Christopher Kemmerer
chris at ssl.com
Wed Jun 2 20:32:41 UTC 2021
SSL.com votes YES on SC46.
Chris K
On 6/2/2021 1:24 PM, Bruce Morton via Servercert-wg wrote:
>
> Entrust votes Yes to ballot SC46.
>
> Bruce.
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf
> Of *Ryan Sleevi via Servercert-wg
> *Sent:* Wednesday, May 26, 2021 2:30 PM
> *To:* Ryan Sleevi <sleevi at google.com>; CA/B Forum Server Certificate
> WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL] Re: [Servercert-wg] Voting Begins for Ballot
> SC46: Sunset the CAA exception for DNS Operator
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know
> the content is safe.
>
> ------------------------------------------------------------------------
>
> Unfortunately, I realized belatedly that I forgot to clearly indicate
> the Voting End Time.
>
> As such, the previous mail did not officially start voting.
> Thankfully, as no votes were received, I think we can just say I
> didn't start it correctly?
>
> Please find the corrected announcement below:
>
> This email begins the voting period for Ballot SC46: Sunset the CAA
> exception for DNS operator
>
> Purpose of Ballot:
>
> This Ballot addresses security issues with Section 3.2.2.8 regarding
> CAA checking.
>
> Currently, Section 3.2.2.8 permits a CA to bypass CAA checking if the
> CA or an Affiliate of the CA is the DNS Operator. This term is
> referred to through RFC 7719, and involves a precise technical
> definition regarding how a zone's authoritative servers are configured
> and expressed (e.g. NS records). While this allows a CA to skip
> looking up the CAA record, it does not absolve them of the need to
> look up these other records on every issuance.
>
> As practiced by CAs, this has clearly caused some confusion. For
> example, some CAs have incorrectly implemented policies that determine
> they're authoritative based on self-assertion that they are
> authoritative, which is not consistent with the current requirements.
>
> To avoid these issues, this sunsets the CAA exception on 2021-07-01
> for the DNS Operator, simplifying the requirements and reducing
> ambiguities for CAs performing validation.
>
> The following motion has been proposed by Ryan Sleevi of Google and
> endorsed by Ben Wilson of Mozilla and Jacob Hoffman-Andrews of
> ISRG/Let's Encrypt.
>
> It can be viewed on GitHub as
> https://github.com/cabforum/servercert/pull/271
> <https://urldefense.com/v3/__https:/github.com/cabforum/servercert/pull/271__;!!FJ-Y8qCqXTj2!NFeHHMg2M0PSERtj03rqrCoxas3jZqEeftaCsg3iAoFNIJ7Gmq5rzCN_3XxzPiKIUOI$>
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline
> Requirements”), based on Version 1.7.4:
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed
> <https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed__;!!FJ-Y8qCqXTj2!NFeHHMg2M0PSERtj03rqrCoxas3jZqEeftaCsg3iAoFNIJ7Gmq5rzCN_3XxztHcKH2U$>
>
> -- MOTION ENDS --
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2021-05-13 20:00:00 UTC
> End Time: 2021-05-26 14:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2021-05-26 18:30:00 UTC
> End Time: 2021-06-02 18:30:00 UTC
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210602/a83087ff/attachment-0001.html>
More information about the Servercert-wg
mailing list