[cabfpub] Pre-Ballot 125 - CAA Records

[Ryan Sleevi]

On Fri, Aug 29, 2014 at 2:02 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

> Picking up where we left off .. attached is the redlined version that I
> think is closest to where we were on this issue:
>
> 1.  In Section 4 of the Baseline Requirements, add a definition for CAA
> Record as follows:
>
> CAA Record: The Certification Authority Authorization (CAA) DNS Resource
> Record of RFC 6844
> (http:tools.ietf.org/html/rfc6844) that allows a DNS domain name holder to
> specify the Certification Authorities
> (CAs) authorized to issue certificates for that domain. Publication of a
> CAA
> Resource Record allows public
> Certification Authorities to implement additional controls to reduce the
> risk of unintended certificate mis-issue.
>

Reads like you're saying CA's publishing CAA records benefits them

"Publication of a CAA Resource Record allows Domain Name Registrant to
request that Certification Authorities implement additional controls to
reduce the risk of unintended certificate mis-issue"


>
> We might want to abbreviate this definition a bit.
>
> 2.  In Section 8.2.2 (instead of editing warranties in section 7.1.2 or
> verification practices in section 11, as some have suggested) add the
> following to the end of the paragraph on Disclosure:
>
> Effective as of [insert date that is six months from Ballot 125 adoption],
> section 4.2 of a CA's Certificate Policy and/or Certification Practice
> Statement (section 4.1 for CA’s still conforming to RFC 2527) shall
> disclose: (1) whether the CA reviews CAA Records, and if so, (2) the CA’s
> policy or practice on processing CAA Records and comparing them with
> proposed Domain Names for the Common Name field or Subject Alternative Name
> fields of certificates applications, and (3) any actions taken as result of
> such comparison.
>
> Any comments or suggestions are welcome.
>

(2) the CA's policy or practice on processing CAA Records for each
Fully-Qualified Domain Name listed in a certificate, and (3) any actions
taken as a result of such a comparison.

The goal of word-smithing (2) is to match the language in 11.1.1, which is
better than trying to enumerate 9.2.1 / 9.2.2 (9.2.2 already has a MUST
that it must have appeared in 9.2.1, so this is redundant anyways)

Of course, you could just reference 9.2.1 directly (e.g. drop the common
name requirement), since any value in 9.2.2 is required to be in 9.2.1 as
well.


>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Sigbjørn Vik
> Sent: Tuesday, July 22, 2014 12:47 AM
> To: Rick Andrews; Geoff Keating; Stephen Davidson
> Cc: cabfpub
> Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records
>
> On 21-Jul-14 20:11, Rick Andrews wrote:
> > Siggy, how does the addition of a CAA record make DoS or DNS
> amplification
> attacks more problematic?
>
> I am no DNS expert, merely relaying comments from our sysadmin. If people
> with more knowledge in the field conclude that this is not an issue, that
> is
> fine with me, but it should be considered.
>
> > -----Original Message-----
> > From: Sigbjørn Vik [mailto:sigbjorn at opera.com]
> > Sent: Monday, July 21, 2014 12:21 AM
> > To: Rick Andrews; Geoff Keating; Stephen Davidson
> > Cc: cabfpub
> > Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records
> >
> > On 17-Jul-14 23:51, Rick Andrews wrote:> Siggy,
> >>
> >> There are a number of Security Considerations in Section 6 of the CAA
> >> RFC (_http://tools.ietf.org/html/rfc6844#page-13_) which detail
> >> possible abuse.
> >
> > I don't see DoS or DNS amplification listed there.
> >
> > --
> > Sigbjørn Vik
> > Opera Software
> >
>
>
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140902/3d67bccd/attachment.html