[cabfpub] Continuing the discussion on CAA

Kirk Hall Kirk.Hall at entrust.com
Tue Oct 18 17:36:03 UTC 2016

I agree that CAA is much more comprehensive, and would achieve what you describe.  Just wanted to point out that there are already many safeguards in place for many / most CAs to prevent accidental issuance of very high value domains that would likely come before a CAA check, so we are not defenseless today.  But you are right, this hard-wired stop list would not reach or protect all companies who put a CAA limit in their DNS record.  I doubt that many of these domains are targets of fraudsters compared to the highest level targets.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Tuesday, October 18, 2016 1:36 AM
To: Kirk Hall <Kirk.Hall at entrust.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

Hi Kirk,

On 17/10/16 18:07, Kirk Hall via Public wrote:
> Gerv, one other point to consider is that many CAs already have hard 
> stops that can't be easily overridden for the highest value names you 
> listed ("Google or Yahoo or Microsoft" - or Mozilla), so a hard stop 
> with CAA would never even be reached via automated requests for those 
> domains.

Indeed, I am aware of this. However, one problem with such a system is that the domains chosen may well be culturally-conditioned and perhaps not updated often - what are the key popular websites in Indonesia? Or Brazil? Or Turkey? And are they the same ones that were important last year?

Still, it's very relevant that you point out this fact, because the point in a CA's issuance process where this happens is exactly the point where I would tell them to insert the CAA check.

In other words, instead of having a static list of high value names assembled by the CA (which no-one seems to have a problem with, and all would say is best practice), I am saying we should have a dynamic list of high value names assembled by the domain owners, with membership of that list indicated by setting a CAA record. And the effect on the CA's issuance process should be the same "hard stop that can't be easily overridden" that you mention is now the case for Google, Yahoo and Microsoft.


More information about the Public mailing list