[cabfpub] Ballot 125 - CAA Records

Ryan Sleevi sleevi at google.com
Tue Oct 7 18:25:54 MST 2014


Google votes Yes.
On Oct 7, 2014 9:17 PM, "Dean Coclin" <Dean_Coclin at symantec.com> wrote:

> Symantec votes YES.
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ben Wilson
> *Sent:* Tuesday, September 30, 2014 11:01 AM
> *To:* CABFPub
> *Subject:* [cabfpub] Ballot 125 - CAA Records
>
>
>
> *Ballot 125 - CAA Records*
>
> Rick Andrews of Symantec made the following motion and Jeremy Rowley of
> Digicert and Ryan Sleevi of Google have endorsed it:
>
> *Reasons for proposed ballot* RFC 6844 defines a Certification Authority
> Authorization DNS Resource Record (CAA). A CAA allows a DNS domain name
> holder to specify the CAs authorized to issue certificates for that domain.
> Publication of the CAA gives CAs and domain holders additional controls to
> reduce the risk of unintended certificate mis-issuance.
>
> The proponents of this ballot believe that this proposed modification to
> the Baseline Requirements, which gives CAs up to six months to update their
> CP and/or CPS to state the degree to which they implement CAA, provides all
> CAs with the flexibility needed to begin implementation of CAA.
>
> *---MOTION BEGINS---*
>
> *Add to Section 4 Definitions, new item:*
>
> *CAA:* From RFC 6844 (http:tools.ietf.org/html/rfc6844
> <http://tools.ietf.org/html/rfc6844>): “The Certification Authority
> Authorization (CAA) DNS Resource Record allows a DNS domain name holder to
> specify the Certification Authorities (CAs) authorized to issue
> certificates for that domain. Publication of CAA Resource Records allows a
> public Certification Authority to implement additional controls to reduce
> the risk of unintended certificate mis-issue.”
>
> *Add the following to the end of Section 8.2.2, Disclosure:*
>
> Effective as of [insert date that is six months from Ballot 125 adoption],
> section 4.2 of a CA's Certificate Policy and/or Certification Practice
> Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state
> whether the CA reviews CAA Records, and if so, the CA’s policy or practice
> on processing CAA Records for Fully Qualified Domain Names. The CA SHALL
> log all actions taken, if any, consistent with its processing practice.
>
> *The resulting Section 8.2.2 would read as follows:*
>
> The CA SHALL publicly disclose its Certificate Policy and/or Certification
> Practice Statement through an appropriate and readily accessible online
> means that is available on a 24x7 basis. The CA SHALL publicly disclose its
> CA business practices to the extent required by the CA’s selected audit
> scheme (see Section 17.1). The disclosures MUST include all the material
> required by RFC 2527 or RFC 3647, and MUST be structured in accordance with
> either RFC 2527 or RFC 3647. Effective as of [insert date that is six
> months from Ballot 125 adoption], section 4.2 of a CA's Certificate Policy
> and/or Certification Practice Statement (section 4.1 for CAs still
> conforming to RFC 2527) SHALL state whether the CA reviews CAA Records, and
> if so, the CA’s policy or practice on processing CAA Records for Fully
> Qualified Domain Names. The CA SHALL log all actions taken, if any,
> consistent with its processing practice.
>
> *---MOTION ENDS---*
>
> The review period for this ballot shall commence at 2200 UTC on Tuesday,
> 30 September 2014, and will close at 2200 UTC on Tuesday, 7 October 2014.
> Unless the motion is withdrawn during the review period, the voting period
> will start immediately thereafter and will close at 2200 UTC on Tuesday, 14
> October 2014. Votes must be cast by posting an on-list reply to this
> thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the response.
> A vote against must indicate a clear 'no' in the response. A vote to
> abstain must indicate a clear 'abstain' in the response. Unclear responses
> will not be counted. The latest vote received from any representative of a
> voting member before the close of the voting period will be counted. Voting
> members are listed here: https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes cast
> by members in the browser category must be in favor. Quorum is currently
> seven (7) members– at least seven members must participate in the ballot,
> either by voting in favor, voting against, or abstaining.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141007/82bd3c6d/attachment-0001.html 


More information about the Public mailing list