[Servercert-wg] Voting Begins for Ballot SC46: Sunset the CAA exception for DNS Operator
bwilson at mozilla.com
Wed May 26 18:35:46 UTC 2021
Mozilla votes "Yes" on Ballot SC46.
On Wed, May 26, 2021 at 12:30 PM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Unfortunately, I realized belatedly that I forgot to clearly indicate the
> Voting End Time.
> As such, the previous mail did not officially start voting. Thankfully, as
> no votes were received, I think we can just say I didn't start it correctly?
> Please find the corrected announcement below:
> This email begins the voting period for Ballot SC46: Sunset the CAA
> exception for DNS operator
> Purpose of Ballot:
> This Ballot addresses security issues with Section 188.8.131.52 regarding CAA
> Currently, Section 184.108.40.206 permits a CA to bypass CAA checking if the CA
> or an Affiliate of the CA is the DNS Operator. This term is referred to
> through RFC 7719, and involves a precise technical definition regarding how
> a zone's authoritative servers are configured and expressed (e.g. NS
> records). While this allows a CA to skip looking up the CAA record, it does
> not absolve them of the need to look up these other records on every
> As practiced by CAs, this has clearly caused some confusion. For example,
> some CAs have incorrectly implemented policies that determine they're
> authoritative based on self-assertion that they are authoritative, which is
> not consistent with the current requirements.
> To avoid these issues, this sunsets the CAA exception on 2021-07-01 for
> the DNS Operator, simplifying the requirements and reducing ambiguities for
> CAs performing validation.
> The following motion has been proposed by Ryan Sleevi of Google and
> endorsed by Ben Wilson of Mozilla and Jacob Hoffman-Andrews of ISRG/Let's
> It can be viewed on GitHub as
> -- MOTION BEGINS --
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 1.7.4:
> MODIFY the Baseline Requirements as specified in the following Redline:
> -- MOTION ENDS --
> This ballot proposes a Final Maintenance Guideline.
> The procedure for approval of this ballot is as follows:
> Discussion (7+ days)
> Start Time: 2021-05-13 20:00:00 UTC
> End Time: 2021-05-26 14:00:00 UTC
> Vote for approval (7 days)
> Start Time: 2021-05-26 18:30:00 UTC
> End Time: 2021-06-02 18:30:00 UTC
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg