[Smcwg-public] CAA and S/MIME

Mon Oct 26 03:03:16 MST 2020

On 24/10/2020 16:21, Stephen Davidson via Smcwg-public wrote:
>
> Hello:
>
>  
>
> The topic of Certification Authority Authorisation (CAA) has arisen a
> number of times in relation to the evolving S/MIME Baseline.
>
> I highlight a discussion on that subject related to the Mozilla
> policy: https://github.com/mozilla/pkipolicy/issues/135
>
> A significant number of email providers – such as gmail.com,
> outlook.com, protonmail.com, and others – have CAA records.
>
>
> Questions for us to address later in our discussions:
>
>  
>
>   * Is CAA a desired requirement of the S/MIME Baseline?
>   * Should the S/MIME Baseline rely upon the existing requirements
>     stated in the TLS BR, or is the S/MIME use case sufficiently
>     different to merit a separate CAA tag?
>
>
Generally, I'm a fan of allowing organisations (however defined) to
specify their policy requirements for publicly trusted certificates via
CAA records; so I would say "yes", it is a desired requirement of the
S/MIME baseline. I would certainly expect it to make its way into the
root program requirements at some point, and having a pan-root program
consensus on those requirements beats having overlapping or potentially
conflicting requirements.

That said, I'm not a fan of ninja semantics (changing the meaning of a
deployed resource where the deployer might not have considered its
eventual full scope) - it seems to me that the "issue" and "issuewild"
tags were framed with TLS certificates in mind[*], and I think extending
"issue" to cover S/MIME could have effects on domain owners which were
not expected. In other words, we would be saying to them that all
certificates are hereby covered, without them having any means of
expressing the policy "I want CA X to issue TLS certificates, but any CA
could issue S/MIME certificates"; so I'm less of a fan of reducing the
expressive potential of domain owners.

To that extent, I think that I'd prefer tags like "issue-tls",
"issue-tls-wildcard", "issue-email", and so on, with similar semantics
which work over "issue" and "issuewild" right now. Once those are in
effect, then you could extend the "issue" tag to mean "all certificates"
as a shorthand, while leaving finer detailed policy expressions.
However, that goes further than anything the S/MIME WG could reasonably
pronounce upon. But "issue-email" to cover S/MIME certs falls within its
charter and seems to have a clearer scope. There's even an opportunity
to allow domain owners to specify the validation methods permissible for
issuance, but that's a whole different discussion.

Just my opinion, of course.

Neil

[*] Genuine question: would "issuewild" have any meaning outside of TLS
certificates?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20201026/5e05c280/attachment.html>