[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Tue Oct 18 08:35:59 UTC 2016

Hi Kirk,

On 17/10/16 18:07, Kirk Hall via Public wrote:
> Gerv, one other point to consider is that many CAs already have hard
> stops that can't be easily overridden for the highest value names you
> listed ("Google or Yahoo or Microsoft" - or Mozilla), so a hard stop
> with CAA would never even be reached via automated requests for those
> domains. 

Indeed, I am aware of this. However, one problem with such a system is
that the domains chosen may well be culturally-conditioned and perhaps
not updated often - what are the key popular websites in Indonesia? Or
Brazil? Or Turkey? And are they the same ones that were important last

Still, it's very relevant that you point out this fact, because the
point in a CA's issuance process where this happens is exactly the point
where I would tell them to insert the CAA check.

In other words, instead of having a static list of high value names
assembled by the CA (which no-one seems to have a problem with, and all
would say is best practice), I am saying we should have a dynamic list
of high value names assembled by the domain owners, with membership of
that list indicated by setting a CAA record. And the effect on the CA's
issuance process should be the same "hard stop that can't be easily
overridden" that you mention is now the case for Google, Yahoo and


More information about the Public mailing list